Closed Bug 122445 Opened 23 years ago Closed 17 years ago

URL: Spoof - userpass looks like a hostname

Categories

(Core :: Security, enhancement, P3)

Product:
Core
Component:
Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.7alpha

People

(Reporter: slice1900, Assigned: adamlock)

References

(Blocks 2 open bugs,
URL
)

Details

Attachments

(7 files, 3 obsolete files)

Mockup of URLbar with username/password entry
22.90 KB, image/png
Details
Mockup of alert idea
4.87 KB, image/png
Details
Simple HTML with example links
658 bytes, text/html
Details
The simplist way to provide trust between websites and users without breaking the web as we know it.
25.93 KB, image/jpeg
Details
Patch
7.37 KB, patch
Details | Diff | Splinter Review
Screenshot of styled page (this page, in fact) - no mockup
28.51 KB, image/png
Details
added pref("browser.urlbar.showUserPass")
42.23 KB, patch
Details | Diff | Splinter Review
There are a lot of dodgy links on the net where someone will try to redirect you to somewhere other than where you think you are going. I saw the above link in a story at The Register (http://www.theregister.co.uk/content/28/23859.html) and according to the story, Opera will warn a user when it encounters such a link. That sounds like a good idea, Mozilla ought to steal^H^H^H^H^Hborrow it. I'm not sure if you'd want to warn on every occurrance, perhaps it should only warn when the "username" has one or more .'s. Like some of the other security warnings, it could include a checkbox to allow users to disable the warning if they use HTTP authentication and has .'s in their usernames. I filed this under enhancement, but it could be thought of as fixing a security bug...
reporter: can you please summarize what mozilla does and what mozilla should be doing? thx!
Darin: If you open this link : http://www.microsoft.com&item%3Dq209354@hardware.no/nyheter/feb01/Q209354%20-%20HOWTO.htm you think that you are going to microsoft.com but you are on hardware.no...
cc'ing mitch for comment on the potential security impact of this.
Yeah, this is worth thinking about. It's basically a way to confuse a user as to the meaning of a particular URL. I'm not sure how serious this is - I would say not very serious but still worth fixing. Let's keep this bug, and assign it a low priority.
Confirming.
Status: UNCONFIRMED → NEW
Ever confirmed: true
mstolz: I saw this link yesterday on IRC (#mozilla) but i realized today that I was not on the microsoft.com server ! (You can think that I'm stupid but i know what user@domain.com means) What happens if I create my own banking page (use a nice CGI script: User enters password on my page (looks identical to the real banking page)-> Server send this password to the real banking site->Server gets Account informations from the banking page-> Server sends this to the user. I can steal money with this (transfer money to a bank on a little island)! There are many users out there who don't know what user@domain.com means...
-> future, unless someone can convince me that we really need this by moz 1.0.
Priority: -- → P5
Target Milestone: --- → Future
From a corporate security perspective this is a great feature which we need sooner rather than later. Many hacker websites are put up each week and even more emails to employees go out each week enticing them to go to websites that have "obfuscated" URLs like "http://www.OfficialCorporateSite.com@hackersite.org". They trick people to give up credentials, etc. Clearly this won't solve the entire problem of social engineering, but getting this fix in will raise the bar for the hackers. Referring the poster's comments about whether or not to warn if there are so many "."s in username: I agree, if the parser can also sniff out encoded periods. Strictly looking for the ascii character "." will be easily circumvented by encoding it as %21 (or whatever the correct code is).
this is probably best solved in docshell's URI fixup code... necko doesn't have any way of presenting a warning to the user during URL parsing, but docshell could look at the URL structure after it is parsed to determine if it should warn the user about this.
Assignee: darin → adamlock
Component: Networking: HTTP → Embedding: Docshell
QA Contact: tever → adamlock
URI fixup code only gets invoked when you type the URI into the address bar, not when you click on something. Do we have any kind of security mechanism already to veto whether a link should be loaded or not?
We sure do - nsScriptSecurityManager::CheckLaodURI, which is due for an overhaul anyway. Do you think we should add this warning to CheckLaodURI?
Makes sense to me :) Want to take it? CheckLoadURI could have checks for this, hex encoded addresses and any other scams you know of. In response it could display a security warning about an unusual URL, perhaps displaying info about the real address the link points to.
-> Mitch
Assignee: adamlock → mstoltz
Component: Embedding: Docshell → Security: General
*** Bug 134371 has been marked as a duplicate of this bug. ***
My opinion is that you could add an option to show a warning when you are opening an URL as user@domain.com but basically this syntax is correct and must be allowed.
It's obvious, but it needs to be said. The pop-up dialog should clearly tell the user what the warning is about. Possible text would be: By loading this link, the browser will attempt to automatically login to %site% using username %username% and password %password%. Do you wish to continue? Continue, Cancel. Click here to disable this warning.
Keywords: mozilla1.0.1
*** Bug 137286 has been marked as a duplicate of this bug. ***
*** Bug 140064 has been marked as a duplicate of this bug. ***
Blocks: 140064
The warning doesn't have to be a dialog box. You could open an additional toolbar, displaying the hostname, in these cases, or similar.
Oh, and "telling me the host I am currently visiting might not be enough, because I might not want to visit the site *at all*. (JS exploits, ad-popups, offending content, whatever reason.) *Before* clicking on a link, I already have to be aware of the host I am about to go to." (from bug 140064).
Summary: Warn user if username encoded in link → Warn user if username/password encoded in link
Proposed relnote: If a username or password is embedded into a URI in the form of http://username:password@sitename.com Mozilla will not warn the user of this when the user follows the link. URI's with long usernames in the form of http://www.mozilla.org%2084230482304982304329048230948@fraudsite.com could deceive users into thinking they were going to mozilla.org when they were really going to fraudsite.com.
Keywords: relnote
I don't think that this need a relnote.
This is a RFE bug and i agree with BenB that this doesn't need a relnote
It is technically RFE, but it is an important issue that could affect a lot of users.
minusing for 1.0.1. this is a feature enhancement and should be hashed out on the trunk.
Keywords: mozilla1.0.1mozilla1.0.1-
Keywords: mozilla1.1
We could replace dots in the username and password with %2e as part of URL canonicalization, eleminating the need for a dialog. To be safe, we could also escape other punctutaion, such as &, %, and $. We do not need to escape ?, \, and / because they already automatically end the username part of the URL, but since they're not present in unescaped form, calling a function that escapes them won't hurt. We already escape = and space. I think escapeDots(escape(unescape(username))) would do what I want.
Keywords: relnote
Summary: Warn user if username/password encoded in link → Warn user if username/password in link look like a hostname
why did the relnote keyword get lost? I don't see any commentary about that.
Jesse: If I understand you correctly, you suggest, that whenever we see a link, we should escape that link fully. At least we should fully escape username and password. This escaped version should be displayed wherever the link gets displayed, i.e. when hovering a link the string shown in the status bar should be the escaped version, when you do "copy link location", when you use "view page info / links". In addition, when you click the link and the new page has been loaded, the URL displayed in the URL bar should also be a fully escaped version. This sounds like a good idea to me. The information shown would no longer look like: http://www.mozilla.org&fakefakefakefakefake..... but like: http://www%2emozilla%2eorg&fakefakefakefakefakefake..... Do we agree this would be sufficient to avoid the confusion on the user's side?
and our http code already automatically unescapes the username and password before encoding them in the Authorization header. seems like a good suggestion to me. perhaps it would be sufficient to simply modify the escape table in nsEscape.cpp. that should work, however, i seem to recall that there is some unescaping done in the status bar when hovering over a link. we'd probably have to touch that code to make it not do that for the username/password, i guess.
... but be aware of issues with escaping already escaped urls again ...
While it might help to have the dots show up as %2e, how many of your average users (I'm thinking more of Netscape's audience than Mozilla's) will understand the significance of this? Sites like hotmail that make use of long URLs with encoded information have trained users that the contents of the URL bar is often gibberish. When you visit an external site, hotmail uses a numerical IP in the URL, even users hip to the significance of www%2emozilla%2eorg may not notice 207%2e200%2e81%2e215. It is just too much to expect of end users to read the URL bar after each and every link they click on to be sure it is the site they intended. How many of those reading this do so? I know I sure don't! What is needed is a dialog that a login/password are being used to access site.domain.com, showing the username and password, with an OK and cancel button. Under certain circumstances (login name contains '.' or '%2e' or is longer than x characters or whatever) a message might be added that this could be an attempt to misdirect you and recommend hitting cancel unless you are sure you know what are doing. Perhaps cancel would be the default button instead of OK in such circumstances. Having a gibberish username confronting you, along with a recommendation that you shouldn't go on unless you are sure you know what you are doing is far better. Ben is definitely right in comment #20, the user should know this BEFORE he visits the site, due to the possibility that the destination site could make use of various exploits or tracking bugs that may be uncovered down the road. Relying on the user to see something odd in the URL bar, or notice some additional read-only status bar isn't sufficient, and those ideas shouldn't be considered IMHO, as they will only reduce by a very small amount the number of people affected. Even a dialog box won't eliminate the problem 100% because some people may sleepwalk their way through and click OK without reading, but then at least we can say we tried :)
> What is needed is a dialog that a login/password are being used to access > site.domain.com, showing the username and password A dialog for each URL/host with a username is a bad idea, because one webhoster here in Germany sells website addresses which looks like email adresses as feature, e.g. "joe@average.com" = <http://joe@average.com>. I am generally reluctant to add any dialog, unless we are about to do something really dangerous.
The only difference we display between a SSL and a non-SSL site is a little lock icon in the lower-right; I don't see why a site with a username/password should get anything more; probably less. The point was to prevent people from seeing http://windowsupdate.microsoft.com/yadayadayada/yada/yada/whatever@yadayadayada/ and assuming it is actually windows update. A dialog is a major overkill! It seems that just displaying any user name and/or password from a link urlencoded would fix the problem, no?
http://windowsupdate.microsoft.com/yadayadayada/yada/yada/whatever@yadayadayada/ _is_ windows update. the '/' after windowsupdate.microsoft.com takes precedence over the '@'.
Re: Ben's comment #32 Mozilla already has a number of "annoying" dialogs like the ones you get when you enter/leave an SSL site, with a checkbox you can uncheck for showing that warning again in the future. This would be a prime candidate for such a warning, since the vast majority of web users will rarely or never visit a site that legitimately uses an '@' in the URL or has a login/password. But for that minority who do, it would be easy to disable such warnings. I guess I disagree with your implied contention that this isn't "dangerous". It is more of a risk that than submitting a form, which generates a warning dialog until you disable it. It is arguably equal to the risk involved with entering/leaving an SSL site, since then at least you have the nice little lock icon most users have been trained to glance at for a very simple indication of whether or not they should be able to safely send credit card information or whatever. Other than HTTP authentication, which doesn't see a lot of use anymore, or oddball sites like the German hosting one you mention above, most times this happens to an end user, it will be deceive them, possibly with malicious intent.
Hundreds if not thousands of popular pay web sites use redirect urls with an embedded username and password in to quietly transfer htaccess credentials from one subdomain to another. If you set the default to alert people every time they hit one of these, you will confuse most consumers and cripple all of these web sites. If you must pop up a warning dialog at all, I highly recommend that you not do it unless there is a high probability of confusion, such as dots in the username or password.
IMHO the potential for harm to the user outweighs any minor inconvenience suffered by users of sites that have user:password@domain.com conventions. If the dialog is worded in plain terms and has a checkbox to disable further appearances, I don't see much of an issue. It certainly won't cripple these sites any more than the https warning does for ecommerce sites.
> It certainly won't cripple these > sites any more than the https warning does for ecommerce sites. Please don't argue to add a problem by citing another one. The https warnings are annoying, poor and even dangerous, if they lower users' regard to important warnings. If you pop up a dialog at all, please do it only for stuff that looks like deception, e.g. more than one dot in username (one dot in username is normal, like ben.bucksch).
Adam, I agree with Ben on this - warning dialogs don't really improve security in most cases. Let's try to find a solution that doesn't involve a dialog - how about some kind of smart URL viewer that breaks down a URL into its component parts in an easily readable way? How about we just put the actual hostname in a different color in the URL bar?
I guess I don't understand why it should be a problem to have a warning dialog when you get a username/password pair that is masquerading as a domain. Given the examples cited in several comments, I fully accept it isn't reasonable to warn on every use of http auth. But as I suggested in my original comment that opened this, warn if you have something that looks like an IP address (4 octets separated by dots) or domain name (at least one dot followed by 2-4 letters then you warn. This won't affect goofy domainnames with @'s in them, or 99.99% of valid http auth still in use. You include the checkbox to disable the warning just in case it really does affect someone's legitimate use. While I like Mitchell's idea of the color coded URL bar (putting the http auth stuff in red would certainly attract the user's attention) it has two problems. One, it only warns you after you've arrived at the site. Two, while the user may figure out that the bright red color in the URL bar means something, it'll be hard to figure out what it means, or that it means the current page shouldn't be trusted. If this appears on an SSL site masquerading as the user's bank web site, he might think the brightly colored URL bar is a recent addition to highlight the fact that the page is indeed secure!
Keywords: mozilla1.1mozilla1.4
Users should not be relying on a hostname or a URL to authenticate a site anyway. This is why we have SSL certificates. If we agree that there is a security problem we need to solve (even if it's psychological), maybe we should consider solving it a little further "upstream" than this. I don't think we should encourage sanity checks of URL's so much as sanity checks of a site's identity. Bug 184881 takes a step in this direction, but might be a bit radical for the near term.
As of today, when the URL is longer than the visible area of the URL field, we display the leftmost portion of the URL. What if we displayed the rightmost portion?
> Users should not be relying on a hostname or a URL to authenticate a site > anyway. Agreed, and in the long term we should be working to educate users about this. However, for now, many users look to just one place to verify the site's identity - the URL bar. So, we should at least raise the bar on spoofed and misleading URLs. I still think we should go with some kind of color-coding scheme, coupled with some user education in the form of release notes and webpages. That's informative without intruding on the user experience like a dialog. > Mozilla already has a number of "annoying" dialogs like the ones you get when > you enter/leave an SSL site That's all the more reason why we should not add another. There are lots of bugs for which we could add warning dialogs, and I almost always argue against it. It's a slippery slope - we could warn the user about a lot of things, and they'd get so many dialogs it would look like a pop-up ad blitz. > it has two problems. > One, it only warns you after you've arrived at the site. There's no way to avoid that. A page can *always* disguise the target of a link before the user clicks it, and there's nothing we can do. As Jesse R. pointed out to me, a script can change the target of the link when you mouseover it, so that something else appears in the status bar, then change it again when you click. Or the link could just point to a redirector. There's no way for us to prevent either one. > Two, while the user > may figure out that the bright red color in the URL bar means something, it'll > be hard to figure out what it means, There's an education component here. Coloring the URL parts will make the parts visually distinct from each other, and that will help keep a reasonably competent user from making a careless mistake. A naive user may not get it, but then most naive users, when presented with a dialog, will either blindly click Yes or else say "IE never gives me this dialog, Mozilla must be defective." Kai's suggestion is a good start. read my lips - no new dialogs.
What happened to my suggestion from comment 26 to escape puntuation (. as %2e, etc.) in usernames/passwords displayed in the URL bar? I don't understand why we're still debating whether there should be a dialog to warn about misleading URLs when we can make a simple change to URL canonicalization to prevent usernames from looking like familiar domain names. In comment 42, Kai suggested showing the rightmost portion of the URL when not all of the URL can be shown at once. I don't see how that would help, since hostnames are almost always at the beginning of the URL. Coloring parts of the URL would be cool, but I think it should be a separate bug. It would only work in browsers that use Mozilla's URL bar and it could be controversial or hard to implement.
> What if we displayed the rightmost portion [of the URL]? This bug is about the fact that the hostname is hidden. What you suggest means that it's almost always hidden, given the small URLbar in the default config and usual display resolution / browser window size. :( If you want to go that route, I'd make sure that the right part of the *domain name* is always visible. > Or the link could just point to a redirector. Then I would already have clicked on a link to an untrusted site ;-). I like jesser's suggestion.
I'm not sure that escaping punctuation would be any more effective than color-coding...I think we need a UI expert.
If usernames are red and hostnames are blue, and the user suddenly sees the hostname in red instead of in blue, what would he think? I guess he wouldn't know what to think. With escaped punktation, it doesn't look like a hostname at all, it just looks freaky.
> With escaped punktation, it doesn't look like a hostname at all, it just looks > freaky. In particular, it doesn't look like a hostname the user might trust, such as www.microsoft.com. Which, IMO, is what's important.
What about putting some sort of localized in-line popup next to the URL? For example, the stream converter could insert an animated warning icon by the suspect URL and when the user mouses over the URL or the icon, a warning appears in a tooltip or dropdown to explain the URL might be dangerous.
as it sounds silly, i am saying that dialog box is in place here. user can always dismiss it, if he's savy enough, but average user NEEDS some feedback. just the suggested wording should be changed to something like Mozilla has detected that you are attempting to visit a spoofed site. Link you clicked or entered is not leading to site <username> but to the site <hostname>. While majority of such sites are created for humor purposes, visiting one might also be a security risk. Continue to the site anyway? <continue> <cancel> [] do not warn me again for this username (or site, but i prefer username, not site checking) sometimes the most obvious solutions are the best. user-wise. ok. the next one should be mozilla automatically recognizing Kings of Chaos and Outwar links nad disabling them:P
Better ways to do this than an annoying dialog: - In the status bar, when hovering over http://www.cnn.com@www.evil.com/, display this instead: [www.evil.com] http://www.cnn.com@www.evil.com/ - In the URL bar make sure the actual hostname is on screen, by scrolling if necissary. If there is a username, hilite the actual host name by making it a different color, a different background color, or a different style (e.g., bold). Alternatively, emphasis could be put on the username:password@ portion by putting it in italic or slant. I think these are the main two places people might get confused by URLs with usernames in them. And I think it solves the problem without any annoyance.
*** Bug 211934 has been marked as a duplicate of this bug. ***
*** Bug 212296 has been marked as a duplicate of this bug. ***
I'd like to make one comment for a dialog box solution (yes I have read the entire bug). I don't think fixing status will work, because of Jeese's mousover js still works, and I don't think color coding the URL bar works either, because it is too late. The dialog box is idea, to me, because you should think about the combination of two factors: 1- cost of increasing "annoying" dialog boxes" 2- relevancy of warning. As the URL parser tester (and having done some system administration and DNS administration off and on for almost a decade), there should be very few links were people are legitimately using URLs w/ usernames, much less usernames w/ dots. So this warning would, in a normal world, appear almost never. In the real world, I cannot think of any other interpretation of the authors intent when I see a URL like this, except that they are trying to trick the user by spoofing the apparent display of the URL. One of the duplicates points out that this trick works w/in HTTPS, the SSL lock will appear (since the hostname necko users does match the hostname in the cert). I think the user needs some clear explaination for what is going on, why they would not want to proceed, and what the point of possible confusion is. Additionally, it occurs to me, that in response to Jeese's URL link spoofing, we might also consider some kind of security feature where javascript triggered from an HREF that loads a different URL than expected should provide a similar warning. Otherwise, I agree that we have alot of annoying dialogs, but that does not mean we should stop using dialogs to warn people about real problems. spammers are starting to hang more w/ hackers and virus writers, so I think spoofed email w/ a spoofing link is going to become much more common in the future.
benc wrote: > this warning would, in a normal world, appear almost never. > In the real world, I cannot think of any other interpretation of the > authors intent when I see a URL like this, except that they are trying > to trick the user by spoofing the apparent display of the URL Comment 32. That mentioned hoster is huge (IIRC Schlund), with a few million domains, but I don't know how popular that particular feature is. > we might also consider some kind of security feature where javascript > triggered from an HREF that loads a different URL than expected should > provide a similar warning. Unfortunately, JS abuse like <a href="thispage.html" onclick="javascript:location.href='someotherpage.html'"> is extremely common on legitimate sites (often with href="." or href="#", though), so we can't do that. >Ispammers are starting to hang more w/ hackers and virus writers, so > think spoofed email w/ a spoofing link is going to become much more common > in the future. heh, just happened today <http://www.heise.de/newsticker/data/ju-10.07.03-000/>.
>Comment 32. That mentioned hoster is huge (IIRC Schlund), with a few million >domains, but I don't know how popular that particular feature is. So what? That's ONE hoster. That's going to be a tiny portion of Mozilla's userbase. Let them disable the dialog if they get annoyed by it, all the rest of us can be just a bit safer from those with nefarious intentions. Besides, its irrelevant. If Mozilla is smart enough to know that "http://joe@average.com is going to the domain joe@average.com and not average.com, the dialog won't be trigged anyway. And my original suggestion when I filed this bug was that it only flag usernames with .'s in them which wouldn't affect this hoster's goofy domains anyway. I can't believe something so simple has been ignored, particularly due to bogus objections involving one web hoster few if anyone outside of Germany has ever heard of. Build the Deutsch versions of Moz with this disabled or something, sheesh!
> So what? That's ONE hoster. Yes, one of the biggest in the world ;-). My point (in response to benc) was that there *are* valid uses, and they don't appear "almost never". Too often that a dialog is troublesome? I don't know. > If Mozilla is smart enough to know that "http://joe@average.com is going to > the domain joe@average.com and not average.com, the dialog won't be > trigged anyway. It *does* go to domain average.com. "joe@average.com" is not a domain. > it only flag usernames with .'s in them which > wouldn't affect this hoster's goofy domains anyway. Email usernames do contain dots. <mailto:anne.freida@benning.com> -> <http://anne.freida@benning.com> > sheesh! No more popups, sheesh! ;-)
Ben: I've given this a lot of thought this afternoon, and I don't even think of it as a security issue anymore. There is a lot of compromising and interelated issues that make security design (at least to me, a big headache) Jesse's objection was really powerful, it basicially had me convinced that this was an unsolvable problem, that you can never trust what you click is what you get. It finally occurred to me that javascript could also be compelled to behave properly as well. I've realized that this is more of an honesty issue which resides at the level of "how are people going to handle acessing Necko URL parser", which is basically that as components call necko, they should be able to progamatically see what is the likely user FQDN, and compare that with what FQDN they actually go to. If there is a likely case for confusion that could be substantial, then warn the user. As for there being one big site that is the exception to my exception (they really do this, but don't indend to deceive), well after we fix this, we can send them to evangelism :) At that point, it really comes down to good judgement, there are lots of things in life you can do, but really shouldn't. In this case, our browser would pass judgement on their URLs, and deem them bad, for what I think are pretty good reasons. I'm going to stretch a little bit here too, and suggest that we need to be staying ahead of spammers, rather than let them keep dragging us through many fire-drills where they were clever and we were careless.
> Jesse's objection was really powerful, it basicially had me convinced that > this was an unsolvable problem, that you can never trust what you click is > what you get Yes, currently, but you should be able to. If you can't, this is a design bug IMHO. I must be able to know where I am going and not have to trust the linking site. Filed bug 212375. [Schlund's <http://joe.s@average.com> websites] > we can send them to evangelism OK with me, although I found their idea quite creative :).
*** Bug 212999 has been marked as a duplicate of this bug. ***
I like the idea of coloring a part of the URL and scrolling it so that the domain name is always visible, but instead of coloring the Username/password (which would only be there sometimes), why not color the domain name all of the time? Then users could get used to seeing the domain of the site in say, bold and blue, and if a malicious URL was entered they could see easily that they are at a weird site. This wouldn't solve the security problem totally, but it would be less confusing than all the sudden seeing color in the address bar. Just my 2 cents...
The problem with this is that by this time it may be too late, if the page is malicious (taking advantage of a browser bug or downloading a bad file -- if someone thinks they are downloading the latest MS security patch, but are really downloading Back Orifice or its ilk...) And even if people get used to see colored stuff in the address bar, its still something that wouldn't be noticed all the time, or even most of the time, except by those who are very paranoid. If people are that dead set against a warning dialog for the specific rare case (username with .'s in it, not every username/password instance) that most people will never see even ONCE and can be easily dismissed forever with the checkbox like other security warnings for SSL, etc. then maybe a tooltip that pops up for these occasions when you move over such a link? It wouldn't be as intrusive as a dialog, but would give the warning before someone clicks on the link, instead of after it is too late? If you move quickly it'd just flash there and wouldn't be noticed, especially if you leave tooltips on and are used to seeing them everywhere. But while not nearly as good as a dialog, it is still better than nothing, and better than showing you've already been fooled or 'sploited after the fact via the addressbar.
Why not use some rules of thumb? Like, maybe, if the username+password part is longer than X characters OR (is longer than Y characters AND contains more than Z url-encoded characters) OR (username part looks too much like a popular domain AND there are more than K url-encoded characters after that)... then issue a warning (with a Don't Warn Me Again checkbox)
Here's an example of this being used to scam people. See: http://www.theinquirer.net/?article=11081 A spam is being sent purporting to be from citibank, the URL starts out with www.citibank.com with a random string of letters and numbers (which people expect since it is used for many session based web sites) and way off to the side the @ is used to invalidate that part and hand you off to a scam site that attempts to grab your credit details. With my suggestion of alerting users when a "username" that contains a '.' is used that this is likely something nasty anyone clicking on that link would be safe (assuming the warning is stringent enough and the default of the pop up message isn't "OK") It can be argued that anyone dumb enough to fall for this deserves what they get, but think that while anyone reading this would know better, can you say the same thing about your parents/grandparents/(insert computer illiterate friends or relatives here) ?
I saw a similar one recently -- an HTML mail where the text of the link was a normal paypal URL, but the actual HREF was to some other site. If we're checking for suspicious links should we at the same time warn if the text of a link looks like a URL but does not match the actual link (or even just check the hosts)?
Summary: Warn user if username/password in link look like a hostname → Warn user if username/password in link (url) look like a hostname
Re: comment 64 - see http://news.bbc.co.uk/1/hi/business/3217485.stm to see "phishing" hit mainstream news. The scammers are using spam lists, so are hitting lots of novice users. It would be a big win (and big "selling" point) for Mozilla to implement a scheme to make the user properly aware of the domain a link is taking him/her to.
Two things could be done: 1. Note the user when the target domain is not expressed in cleartext, e g: http://www.kuro5hin.org:section@1109654166/ (from a post at slashdot). I can't see a situation where it is a non-fraud need to use such a format. (With the exception that some sites use the dotted format of the IP address (123.456.789.321) when pointing to some files. But I think that's unusual and very temporary uses.) 2. Always display the name of the site you are at. That is when you have followed a link as those we are discussing here and at the resulting site still have something like http://www.mozilla.org%2084230482304982304329048230948@fraudsite.com/ in the URL field we should make it obvious that the user are at fraudsite.com (maybe by displaying [fraudsite.com] http://www.mozilla.org%2084230482304982304329048230948@fraudsite.com/ in the URL field).
1. Display a warning dialog: 1a) when going to a URL with a username that contains '.'. 1b) when going to a URL with a long username. 1c) when going to a URL with a username. 2. Modify how the URL is displayed: 2a) Color passwords differently from domain names. 2b) Don't display the username and password in the address bar. http://www.mozilla.org:crap@ebay.com/ -> http://ebay.com/ 2c) Put the name of the site before the URL when there is a password. http://www.mozilla.org:crap@ebay.com/ -> [ebay.com] http://www.mozilla.org:crap@ebay.com/ 2d) Escape the password when canonicalizing http URLs. http://www.mozilla.org:crap@ebay.com/ -> http://www%2Emozilla%2Eorg:crap@ebay.com)/ 3. In addition to having the address bar, display the hostname somewhere else in the UI (bug 140064 comment 0). Of these, I prefer 2b or 2d.
Whiteboard: spoof
1d) when going to a URL with a username which contains a dot and is a valid domain name, for that do a DNS lookup before displaying the dialog. (I don't think that exposure of the username to DNS servers is a problem for HTTPS and not at all for HTTP.) Rationale: Prevent spurious warnings, DNS looksups are hopefully faster than a user interaction and also less annoying. If it's a valid domain, the likelyhood of fraud is high, so a warning dialog is appropriate. 2e) Display username/password in grey, maybe don't show passwords in cleartext at all, adjust alignment of URL so that as much as possible is visible from the right part of the domain name.
More grist for the mill.Fixing this would be a big PR win for Thunderbird / Moz Mail. I believe priority on this should be at least 3 if not 2. http://news.netcraft.com/archives/2003/10/26/customers_of_uk_banks_and_brokerages_attacked_with_new_wave_of_fraud_and_theft.html
I continue to be astonished at the reluctance Mozilla's developers have to fix this problem. I opened this nearly two years ago and nothing has been done at all, it isn't even targeted. I wish the codebase were understandable without days or weeks of work learning it so I could code the damn thing myself, maybe it'd get accepted if it was already done and ready to go. Do even 1% of all browser users use name/password authentication at all? Do even one of 1000 of those use usernames with .'s in them? This is so easy to fix with a simple confirmation box that would alert clueless users being spoofed about it. I bet well under 1000 Mozilla users would ever have to click the checkbox to disable future warnings. Anything you do in the URL bar will NOT BE NOTICED by the average user. Why do you guys want to target your fixes at technically competant users? We aren't the ones who will be successfully spoofed anyway (or even believe that our bank would email us asking for a "confirmation" of our password, SSN, etc.) Is "one more dialog" really a concern here? Honestly, Mozilla still defaults to putting up a goddamn warning if you do something ever so dangerous like SUBMITTING A FORM! But spoofing isn't worthy of a warning? Get rid of the retarded warning about submitting a form and replace it with this warning, then there are no more net warnings added to the browser, but the ones that are there are more useful. Maybe we just have to wait for Longhorn before this is fixed in Mozilla. Once IE handles this problem (and I'll bet they do) Mozilla will be scrambling to follow, when it could have taken the lead in security instead of being a follower behind Microsoft (how embarressing)
I have to agree with the previous poster. I have found nothing but resistance to getting things fixed/improved/added to mozilla. If you want people to treat mozilla with respect, then the main developers need to treat their users with the same respect. As long as legitimate requests keep being piled in the 'too hard' basket, or the "we shouldn't do that, but I won't offer a better alternative" basket, or the "I'm not going to do that because I said so" basket, Mozilla will never become a leader in the browser market, and will be forced to play catchup with IE every time they 'innovate' a new idea that will most likely have been stagnating for years in a bugzilla entry. Hell, I wouldn't be surprised if microsoft got some of their ideas from here in the first place.
Apologies for the bugspam. Ian, slice: The baskets and reluctance mentioned don't exist. There are, I believe only around 8 people paid to work on Mozilla. When you whine about them not fixing your pet bug, you take away from the time they have available to fix bugs and keep mozilla.org running in the first place. I'm pretty sure I have been guilty of this in the past. Take a look at some of the bugs that ARE getting fixed in each release, to gain some perspective. If you want the bug fixed, then fix it. If you're not willing to fix it, pay someone, or otherwise help mozilla have resources to fix it. If you won't do any of those things, please stop complaining. I don't think this bug needs any more comments for now, unless they're from someone willing to write code. If you must flame me/reply, don't do so by posting another comment.
Keywords: mozilla1.0.1-helpwanted
Priority: P5 → P3
I'm just a dedicated, loyal Mozilla user, and I don't understand all the technical details involved. But for these trick URLs that look at first glance like they're going somewhere other than the real destination, I'd like the browser to tell me that all is not what it seems. I'd like to see both a dialog and a tooltip, both of which can be disabled if not desired. With a tooltip to alert me of a possible trick URL when I mouse over it, I could pass up clicking on it to begin with. The dialog box could let me know what destination the URL is actually going to take me to, and give me a chance to rescind my click. And, considering that a lot of new users might be wooed to Mozilla, seeing how much superior it is to the obsolescent monopoly browser, I'd recommend that these options be enabled by default, with an obvious way to disable when invoked. The suggestions for a colored or bolded segment of the URL in the location bar doesn't appear to me to be of any use. As was mentioned, by this time you're already there, and though Mozilla is not the welcome mat for malware that IE is, there still may be many reasons for not wanting to have gone there.
reseting milestone, in case anyone is following milestone triage. adam: I'm going to take qa of this bug if you don't want it, following my comments above. darin: per comment 9 and 10, could you give an opinion on where this code would need to be placed? If possible, please consider my arguement #54 that this should not be as much a security feature as a URL parser feature. (I do not know enough about necko internals to know if necko can generate warning dialog boxes, so if I'm proposing something bad, please be kind when you say "no".) slice1900 and Ian: This bug has 26 votes. I looked at # of bugs w/ 25 votes or more, and I found 273. This is not to say that I disagree with you on the technical merits, but that there is a lot of stuff going on. And there is a lot of fixing going on, but there is always more stuff. To build off Matthew's point, there are also lots of things you can do to help, even if you don't code. Documenation, bug management, helping other people w/ their stuff, etc. With some 1 million odd downloads, mozilla does not need more users, it needs contributors (that find other contributors). Pretty much everything that can be said about this bug has been said. If that is the case, what are -you- going to do next? If you cannot repeat the same points, if you cannot directly type something here to get the bug fixed, what can you do, perhaps indirectly, not immediately, that will increase the chances of getting this fixed? Are there skills you can share with others in the community? Are there subjects you can learn more about to understand this problem better?
Target Milestone: Future → ---
The dialog box is the only way to prevent users from being spoofed. Coloring the address bar won't work, because by the time the user sees the colored address bar, the user is already victimized. By then, the user has already gone to the spoofed site. The dialog box would have a checkbox to disable it. Additionally, we could implement a whitelist of all domains on which to never show the dialog box. That way, users could still go to their username/password sites for admin purposes without being hassled while still getting the benefit of spoof prevention elsewhere on the Web. We don't need a pref panel feature. The technies will just go to about:config anyway. Either fix this with a dialog box or mark it WONTFIX. Summary change hopefully an improvement. Would be great for 1.6. Here's for luck.
Flags: blocking1.6?
Summary: Warn user if username/password in link (url) look like a hostname → Spoof prevention: Warn if username/password in link (url) looks like a hostname
>The dialog box is the only way to prevent users from being spoofed. Coloring the >address bar won't work, because by the time the user sees the colored address >bar, the user is already victimized. What do you mean by "already victimized"? Mozilla's job is to avoid letting a site appear to be something it is not. Mozilla's job is not to guess which sites are malicious and warn the user against going to them. >By then, the user has already gone to the spoofed site. If the site fails to spoof itself (thanks to Mozilla escaping the username, not displaying the username, coloring the domain name, etc), so what?
I vote for the dialog box, as per Andrew's specification at #76.
Attached patch Prototype (obsolete) — — Splinter Review
This is a prototype demonstrating one way you might implement this. The webshell file handles link clicks so I have inserted a check for dubious things. URLs containing passwords with dots, "www", "com", "paypal" and a few other checks cause the dubiousness to rise. If a link is sufficiently dubious, the webshell poses a warning dialog. The dialog needs fixing up (should we show the URL when they're typically very long in these scams?) and a checkbox tied to a persistent pref, but this is just a proof of concept. The code should probably only fire for mail/news, but the appType setting on the docshell was not set so I commented that test out. There might be some other way to test this. Also, perhaps the code shouldn't live in webshell. There is already some dialog posing code in webshell so it doesn't add much bulk, but perhaps the functionality should be farmed out into a component somewhere such as URI fixup. If someone wants to pick this up and improve it please do
Flags: blocking1.6? → blocking1.6-
Would it be a good idea to just turn following username:password@host links off? Let there be an option in Preferences to enable it for those users that understand what they are doing. I am a freelance computer engineer. I have tested the Opera browser with a customer of mine and she *did not* understand Opera's "you are about to go to an address containing a username" dialog. In fact she says she just dismisses all dialogs because she doesn't understand any of them. Also I believe none of my hundreds of customers ever need to follow links like this. My evidence is that I have set up hundreds of recent copies of Opera in people's homes (before Mozilla became my preferred and recommended browser). None have ever mentioned ever seeing this dialog. I have just received a fake email purporting to be from Natwest Bank and it upsets me greatly that right now there is nothing effective I can do immediately to protect my customers against this danger. How about a dialog saying: Title: Fraudulent address alert Icon: Big red STOP sign Content: Mozilla has detected you may be about to go to a fraudulent address. The actual hostname in the address is [specify hostname]. For your protection, Mozilla has disallowed this potentially dangerous action. For further information, click [here]. Buttons: OK The user will have to read the further information and then go into Preferences to enable following this type of link. By all means Mozilla could optionally be clever and attempt to detect misuse of this type of link. Surely this is subsiduary to allowing that type of link at all? I am worried that Natwest and other banks are right now asking Microsoft to implement something like this in Internet Explorer. Then the banks will come down with a blanket policy like "NO browsers other than Internet Explorer and only then Internet Explorer with such-and-such patch". Then with my favourite browser shut out I will be very upset indeed!!
Phil Jones' comments were quite true. IMHO, we should consider the following before making a dialog: 1. People don't read. The vast majority of users click OK without reading anything else. 2. People are ignorant. They do things without thinking. (Examples: #1, using IE, etc.) We must make it semi-challenging to go to such a site. That way, ignorant people are protected. Jones' suggestion seems to fit the bill: 1. Disable the http://user:pass@whatever.com links by default. Should FTP links of this sort will be blocked too? 2. Leave an option buried in the preferences to enable the links (for advanced users) 3. The dialog features only an OK button. Manually opening the prefs to change the settings shows you genuinely want to enable the links.
Disabling passwords is going to cause problems for subscription download sites Sites such as fileplanet.com offer links for downloading games, mods, patches. Anyone using this or a similar service may discover it doesn't work anymore in Mozilla. Sun & Apple ADC also use strange temporary user/pass URLs for controlling file downloads. They can't be the only ones. I also don't believe that you can say with certainty that a link is fraudulent. You can certainly make the dialog suitably eye catching with a big warning icon and a plain English description of how it *may* be fraudulent. Users only have themselves to blame if they ignore the warning.
I have modified my suggestion based on Ben Bucksch's comment (# 38). If the address contains a dot in the username part, or a dot in the password part, I suggest Mozilla should refuse to display the page. Even a single dot is exploitable with high-value sites that leave off the leading 'www', Slashdot style.Mozilla should of course explain why and offer a link to docs explaining what may be going on, and how to change this restriction. This will:Allow:http://joe:joepass@legitimatehost.comDisallow:http://bigbank.com/e-banking:update.html?Session=rdklk324342AAd&ClientIP@64.174.108.131/Sites with a reason to use dots in the username or password part must accept (IMHO) they are broken because criminals have discovered how to steal people's money via the Internet. To work around this, I suggest a browsing preference:Preference title: When a potentially misleading address is detectedOption (default): Do not go to the addressOption: Display a warningWhen triggered, the warning could look like Opera's dialog but with a bit more explanation:Title: Address contains a usernameIcon: AlertMessage: The address contains a username and/or password. Please be sure that the server name shown below is what you are expecting. If not, this may be a misleading address. Server: 64.174.108.131Are you sure you want to continue? If you are unsure, click Cancel.Options: OK, CancelCheckbox: Do not show this again for this address
Sorry about my previous post which didn't seem to come out right. I hope you don't mind if I post it again. I have modified my suggestion based on Ben Bucksch's comment (# 38). If the address contains a dot in the username part, or a dot in the password part, I suggest Mozilla should refuse to display the page. Even a single dot is exploitable with high-value sites that leave off the leading 'www', Slashdot style. Mozilla should of course explain why and offer a link to docs explaining what may be going on, and how to change this restriction. This will: Allow: http://joe:joepass@legitimatehost.com/ Disallow: http://bigbank.com/ebanking:update.html?Session=rdkl4342AAd&Client@64.174.108.131/ Sites with a reason to use dots in the username or password part must accept (IMHO) they are broken because criminals have discovered how to steal people's money via the Internet. To work around this, I suggest a new browsing preference: Preference title: When a potentially misleading address is detected Option (default): Do not go to the address Option: Display a warning When triggered, and the option is set to "Display a warning", the warning could look like Opera's dialog but with a bit more explanation: Title: Address contains a username Icon: Alert Message: The address contains a username and/or password. Please be sure that the server name shown below is what you are expecting. If not, this may be a misleading address. Server: 64.174.108.131 Are you sure you want to continue? If you are unsure, click Cancel. Options: OK, Cancel Checkbox: Do not show this again for this address Would this be acceptable as a solution?
This is more or less what the prototype patch already does.
There is no reason for there to be a warning dialog. Displaying the . as %2e would fix the spoofing problem without annoying users and without running into the problem that some users ignore dialogs.
Re comment 79: The routine should also test for control chars in fake host names due to exploits of IE parsing vulnerability. See bug 225845, comment 5.
*** Bug 228090 has been marked as a duplicate of this bug. ***
Appologies for adding "noise" to this bug, but I think its worth checking this article: http://www.theregister.co.uk/content/55/34447.html In brief, a new IE exploit has been found where IE will not display any part of a URL after an 0x01 character. In practice, a dodgy URL when clicked on an IE user will look *exactly* like the URL it is pretending to be. So why do we care? Because Microsoft will likely patch this bug either in this coming "monthly update" or next months... the problem is far far too sever for them to ignore. I don't know if they'll take the time to create a more "robust" patch along the lines of what has been discused here, but I guess its possible.
*** Bug 228166 has been marked as a duplicate of this bug. ***
*** Bug 228176 has been marked as a duplicate of this bug. ***
Just a potential solution that I didn't see mentioned in this bug. For sites of the form 'http://user:pass@www.server.com/path', why not simply display : 'http://www.server.com/path [login=user, password=pass]' ? Of course, this would only be a display hack, and internal processing (bookmarking, copying to clipboard, ...) would always use the "@" notation, but all UI displays (status, URL bar, ...) would use the "explained" form... Just my 2 eurocents.
I've gotten a couple of PayPal and other spoof emails which uses URL-spoofing to try to trick people into giving up account info. It's very hard to detect because the emails are HTML so the actual URL is hidden - all you see is a legitimate URL (<a href="paypal.com@hacker.com">paypal.com</a>). Also, the site's indistinguishable in its looks from the legitimate one. This is a HUGE secuirty problem that probably all financial firms (and others) are aware of. I also want to reemphasize what many people have pointed out, that there's virtually no legitimate reason to use a URL with a user name that looks like a domain name. I want to throw out an idea that may be a little complicated and I'm not sure if it can be implemented at this time. A dialog such as the following will force even the most click-happy user to take notice. Starred words are bolded, colored, or otherwise emphasized. The link you are trying to visit appears to be an attempt to spoof a legitimate site, using user name [paypal.com] and password []. Do you wish to: [ ] *Continue* on to spoof.com [ ] *Cancel* the visit
This 'bug' is now almost 2 years' old, having been first raised in January 2002. There are currently 51 people CC'd! Most people agree something needs to be done. The arguments centre around how much Mozilla should act as nanny for the user, i.e. how do we implement solution? Can I suggest a way forward: 1) All those with suggestions re-present them for a period of say 1 week. 2) Bug owner summarizes / categorizes. 3) Everybody currently cc'd on this votes on the solution. 4) Solution is implemented for v1.7. If it causes trouble when the full userbase tests it, different solution considered for 1.8. Will Smith Malaysia
You just spammed 51 people. Thank you. Ideas have been presented. Please read everything posted on the bug and comment if you have something new to add. Just because a bug is old doesn't mean it is ignored.
>virtually no legitimate reason to use a URL with a user name that looks like a >domain name. mails from hosting providers, telling users to update web pages using ftp://their_domain_name@hosting_provider.com/ maybe?
we shouldn't dictate what kinds of usernames or passwords people are allowed to use. Even using the single word 'microsoft' as username will probably fool a lot of users into thinking that their at microsoft.com. A much better suggestion IMHO is to not show the username or password in the url at all, like in comment 93 which should work just fine when displaying the url in the statusbar. We can't do this in the url-bar though since that is an invalid url. However couldn't we simply remove the username and password from the urlbar? If i'm logged in to a site and then enter a url that doesn't contain the username/password, won't we still log in using that username/password?
There have been suggestions to not show parts of the URL, e g userid/password. That is not good. IMHO the two most important points in this context is: 1. The URL which is used *MUST* always be shown (complete) in the URL bar. 2. The user MUST be *very clearly informed* of the domain he is connected to (or, if possible, he is being redirected to). Therefore I suggest a solution like this in the URL bar (taking from an earlier example): (server.com) http://user:pass@www.server.com/path Maybe "(server.com)" should be in bold and/or red. An alternative could be new dedicated info field for actual domain. But the latter would take unnecessary space, I think. A feature of lesser importance would be an option to block URL's that contain an user/passw prefix which is in a format resembling a domain and/or is beyond a certain length (the latter to e g block URL's with the prefix part of such a length that the domain is not visible in the URL bar).
I suggest this feature work like the popup blocking. Initially all http (not ftp) requests with username/password are blocked and an icon appears in the statusbar. You can then unblock the specific site or turn the block off. Are there any useful, legitimate uses of username/passwords in http requests? The work can be divided: 1) fix status bar The status bar not showing the correct location is clearly a bug #228176. 2) (optional) Color highlighting for URL in statusbar/addressbar 3) (optional) Implement blocking
I wonder if instead of creating yet another annoying dialog, we could make the problem more generic and obvious, and maybe easier-to-use (ease-of-use I'll leave to the experts). How about if a URL contains a username/password, Mozilla strips those out of the URL field (as hinted at above) and puts them below the URL bar. Then it becomes obvious that something funny is happening. I don't think it's a good idea to try to anticipate 'badness' of user/pass encoded URLs, and I'm not sure if this is something that would have to be 'always on' for consistency, but I thought I'd throw it out as an idea. A general-feel-for-it mockup is attached. The top represents the way it is today. The bottom is the way it could be.
I like the concept in <a href="http://bugzilla.mozilla.org/show_bug.cgi?id=122445#c101">#101</a> as long as make sure that those OTHER boxes would ONLY show if it's a url with a user and password in the URL. Otherwise all the newbies would be confused as hell. Also, how would this affect HTTP username and password realm authentication?
Attached image Mockup of alert idea —
This mockup presents a concept similar to popup blocking. If you want to continue, click the little icon in the bottom right of the browser. At that point, you decide whether to enable access once, allow this site forever or allow all sites. If you are a fool who doesn't read dialogs, you will be protected against your own stupidity.
First off. >>virtually no legitimate reason to use a URL with a user name that looks like a >>domain name. >mails from hosting providers, telling users to update web pages using >ftp://their_domain_name@hosting_provider.com/ maybe? I forgot about ftp, but I was just talking about http. If someone's using ftp they can hardly be spoofed unless they're brainless. And I don't mean figuratively. Now, on #101: what if someone has a tiny toolbar, eg with small icons? What if they don't even have a location bar? (Have to consider all cases) Would it work with all chromes/themes? On #103: I think this can be a good idea if people don't think it'd clutter the status bar or something. :) But I think the message has to be very clear on why this may be fraudulent. To the average user this dialog tells them nothing about the reason, which is very important.
i think that this bug have several parts, each should be fixed: 1-the long username problem: any username bigger than say 16 characters should be marked as "BAD thing". A long enough username cam make this bug into a security problem like bug #228176, so reporter or someone with enough power please update the status, add the security flag there i know no real system that uses usernames bigger than 16 characters, and if they exist, they should be rare 2-the same for the passsword (or maybe some more characters, about 20?) 3-both username and password bigger than 20 character also marked also as "BAD thing" (most people enter the password after, in the login dialog, this combinations is less usuall) 4-any username with a "." in it should be marked as bad 5-the username/password looks too much like the real URL, it should be ALLWAYS some_color/gray (username red/blue/green, password grey, so the password is harder to read by any guy near us) maybe the username or the real URL in italic/bold is a good thing also 6-the status bar, should display the real URL and then the (username:password), as its more important to see here we are going than if the login is the correct or not the username:password should be allways show in the end, but as the rule above, only the max of 32 characters will be shown, as the other will be marked "BAD thing" and the popup dialog will take care of then 7-all marked "BAD thing" url should get a popup dialog, stating that the user is trying to acess "the real URL" with username "username" and password "password". the dialog then ask to allow or not (and so should have the buttons "allow" and "abort") if allow, it should store that information for the session, as this kind of login are also just stored for the session also, maybe a note in the dialog stating that the username will be show as red/green/italic/whatever in the url bar might be a good idea we cant hide the username:password because some sites require login to use special things and the url might be the only place they have the username and password, and viewing the html source isnt one option for this kind of people at least issue 5 should be fixed ASAP to reduce the danger of this security problem. if this existed,bug #228176 would be less important, as the url would show in a different color, pointing to something fishy...
>i know no real system that uses usernames bigger than 16 characters, and if they exist, they should be rare I am not so sure how rare they are. I have seen system where the username matches the person's full name. In that case, it can easly exceed 16 characters (take may full name for example: ShoshannahForbes- it is exactly 16 characters).
re comment #102 My idea is that mozilla would simply parse the URL and put the appropriate data in the fields, or extract the data from those fields to construct the URL behind the scenes. I think it's easier for the realm authentication, personally, because you can type the URL as given (if given) OR type the URL with the username and password in the username and password fields. If authentication credentials are present you are logged in directly (cuz that's just how it works). However, this lends itself to demanding that both fields (or at least just the login, Mozilla could prompt for a password like it does for email, etc) be always present. I'm thinking that this isn't a bad thing. A future enhancement could be that Mozilla puts the user-provided realm login data into <form> logins, if present, just to add some slickness. The advantages to this are twofold: It is OBVIOUS, and it is NONINTRUSIVE. I like the idea of coloring, but colors are confusing for newbies. This seems very blatant for newbies. The people who would have the most trouble are the experts, because it's different. For chrome issues, I don't see an immediate solution to the "small-icon" problem (comment #104). For the "no location bar" issue, I say this is invalid. If you don't have a location bar, you have no indication of what site you are on anyway. Of course, this depends on what problem you're trying to solve. This may just be a new bug.
This is a simple HTML doc with example links. One simple spoof, one new spoof based on the newly discovered IE flaw and one "legitimate" link containing user name and password. I'd like to draw attention to the fact that example link 2 shows *only* the spoofed URL in the status bar of Mozilla! (I'm sure many people are aware of this, but I wasn't so this post is for the benefit of anyone else who didn't realise that this IE bug also partly affects Mozilla).
I read this whole bug over the last two days. Many peoples ideas initially seem like a good solution. However, we must examine this issue with a lot of thought. A dialog box is not a good solution and this is why: 1) Most users don't read them 2) You will anger website owners who give out legitamite links and their users get shocking security warnings when nothing is wrong. 3) Mozilla cannot be the judge of legitamite urls, that is for the W3C. 4) Bugzilla is not a fair place to decide how widespread HTTP Authentication is used, Apache today is used on 60% of web servers and HTTP Authentication is wildly popular and with that popularity is the use of links with the username and password embedded. 5) If you allow the ability to uncheck that the warning from showing up again, then novices will uncheck that and have no protection when they are spoofed in the future. If you don't allow the dialog box to be disabled in the future, then you basically are breaking the way the web works. 6) This is a slippery slop to having a dialog when a website from another domain is loaded in a frame. A lot of spoofing happens at hotmail where you cant even see the url, so the username and password spoof trick isnt even used. Changing how the URL is displayed in the address bar will not work because: 1) There is a long history of giving the exact url in the address bar, and Mozilla will not gain popularity if you chop up and colorize the url. People need to be able to see and manipulate the full url. Mozilla needs to be forward thinking. The best solution is the one that requires the least amount of education, because educating the whole world is impossible. Also, the best solution allows security conscious websites (ie. banks, paypal) to educate their users on what to trust. For example PayPal tells their users, only enter your PayPal information when you see: https://www.paypal.com Now we know that can be spoofed: https://www.paypal.com:cmd%20adfa2lkjr39i7a23971n1l3ku497ibuka23lkjs7@gotallyourmoney.com I have attached a crude mock up of a GUI that could be implemented to solve this problem properly for all time. The users will look at the location bar when determining if a site is trustworthy or not. For that trust we need to give the URL, the hostname and the lock icon so they know they can enter credit card information. When a website is locked we can also show the organization. There would also be room (it's not shown in the attachment) to place the trust authority (eg. verifysign, geotrust). Educating users on how to use the information shown in my attachment is far easier than teaching them how to parse the URL and I believe it's such an obvious way to show the information that no education would be required.
How is that different from the other proposed item: http://bugzilla.mozilla.org/attachment.cgi?id=137342&action=view The same problem of screen real-estate exists.
It also does nothing for non-SSL sites.
alanjstr, actually it's similar on the surfer to that attachment but differs in two important areas: 1) The attachment I uploaded does not remove the username and password from the url. 2) Since the vast majority of sites are visited without a username and password, it's far more useful and astetically pleasing to have a hostname box which is filled on every site and it provides a consistant location for users to look to see if they trust a certain site. attachment 137342 [details] is a good idea, but I believe that attachment 137416 [details] is an improvement on that idea. Yes the same problem of screen real estate exists, but if we cannot allocate a little amount of real estate to this issue, then it's probably not an important enough issue to fix. Aaron, >It also does nothing for non-SSL sites It clearly shows the hostname for SSL and non-SSL sites. The hostname cannot be spoofed and users will know they are not at www.microsoft.com if the hostname box has www.evilspoofersite.com
Re comment 109: Something like that for SSL was already suggested in bug 184881, and I had an additional hostname field in mind since a long time already, see bug 228524. However, the suggestion in comment 109 won't fix this bug, see bug 184881 comment 8. You'd have to remove the URLbar (bug 228524), but I don't expect that to happen for Seamonkey. So, IMHO, Jesse's suggestion of escaping "." in username would be least obtrusive and most effective for now. Code-wise, how about consistently (for status bar, URLbar, etc.) using a function like UnEscapeURIForUI and there implementing that special escaping?
Another solution that doesn't break FTP links can be found in bug 228612.
Would it not be better all round to remove/censor the username & password anyway? [these things are fairly stupid in practice since your username and password are displayed in clear text] Maybe for display purposes, replace the username and password with 'user' and 'pass' in square brackets? http://fred@whereever.com -> http://[user]@whereever.com http://fred:bert@whereever.com -> http://[user:pass]@whereever.com [and maybe if you click in the URL, it shows the actual username and password?]
Blocks: 212999
*** Bug 229301 has been marked as a duplicate of this bug. ***
My votes are to display near/in the URL bar a hostname when the user/password seem questionable. ie: [hacker-site.ru]http://www.bigbank.com%04login.php?secure=1&@hacker-site.ru/accountaccess.php and for some indication by the lock icon of what hostname the SSL cert is for. (Even if that just means a tooltip when you hover your mouse over it saying [accounts.bigbank.com]
While I think the change to the URL by prefacing the hostname [hacker-site.ru] would be the most blatant and easy to recognize by ininformed users, other suggestions to change color of user/password are probably a close second. While a user may not know why that part of the URL is bold and bright red, it should at least give them cause to stop and think before blindly entering account or personal info. So... color-coding the user/password portion of the URL also gets my vote. One advantage it would have is you could still copy/paste the URL from the address bar without getting any extra 'stuff' along with the address. And I'm absolutely against a pop-up dialog of some type.
I think color is better than displaying the [host.name] next to the URL, simply because changing the color of authentication tokens in the URL can always be done, whether we think the URL is suspicious or not. The suggestions to display the hostname based on the result of some heuristics run against the URL are fine in theory, until someone works out how to run a fraudulent web site which doesn't trip any of the heuristics. Making usernames in URLs bright red whether they're fraudulent or not is an end-run around that problem which doesn't involve any pesky alerts.
URL coloring and dialog boxes are not mutually exclusive. Please file a new bug for that discussion. As for the dialog warning logic, I think that any "." should trigger the warning. Please give an example of how you could spoof around this.
I did file a new bug. It got tagged as a duplicate of this one and closed :-)
How about changing the mouse cursor on mouseover of such a link? The mouse cursor could be changed to a "skull and bones" icon, for instance. For keyboard navigation, the focused link could be outlined as normal, and a red slash could be placed over the anchored element.
Flags: blocking1.7a?
Well, apparently we have a number of ideas (toolbar, dialog, cursor, etc.) for how to deal with spoof URLs. Every day that goes by, someone is tricked by a fake Paypal/Ebay/AOL email. We need to decide what technique to adopt - NOW! Perhaps we can set up a poll to quickly figure out what the majority wants and go from there. I would really like to see this feature appear in 1.7, and if we get moving we can do it.
Flags: blocking1.4.2?
There's no way this is 1.4.2 or 1.7a blocker; that's generally for bugs introduced by recent patches. Someone from Paypal/Ebay should offer a small bounty to the person providing the patch that fixes this bug.
Matthew: in much the same way as you spammed dozens of people, i'm doing the same now. Please let the drivers decide on what's a blocker or not. Furthermore, imho your statement is incorrect. Giving users a reliable and safe browsing experience ARE of core importance for a browser. Also your "recent patches" statement does of course not apply to a browser that has already been released. And finally, i don't think it's Mozilla's goal to wait for/require donations from parties that are victims of malacious sites before a bug is fixed. I'm sending this out in the hope that all future comments are aimed at getting this bug fixed. [and my apologies for the spam]
There is a prototype patch for this bug already attached. I received precisely zero comments about it and yet I see people raising points that it addresses over and over. To recap (see comment 79 for full blurb) - it counts the number of dots and a few other things in the userpass part of the URL. If it considers the URL 'dubious' it throws the error warning. As I mentioned before it has limitations (it should be a confirmCheck for one thing), but I would be glad if someone would say something about it one way or another!
Thanks for your patch, Adam. First of all, I apologise for posting comments after your comment #79 without reading your code! The patch is great. It certainly addresses the issue raised by this bug as it stands. My comments are:I was confused initially by the "if (dubiousness > 1)" test. At first I thought it meant no dots are allowed but then I realised it means one dot is allowed. For readability please could you change that to "if (dubiousness >= 2)"?I think it would be a good idea to also check for dot-like characters such as comma and dash. Something like:+if (*iter == '.' || *iter == ',' || *iter ==';' || *iter == '-' || *iter == '_')+ numDots++;This is because scammers might try to work around Mozilla's detection by using non-dot separator characters. I would think there is something strange about "ebanking-abbeynational-co-uk" but naive users might not notice.The patch checks for the presence of "www" which I think is good. There are no words I know of that contain "www" so that seems a pretty sure sign of a fake URL. I know of some potential victim sites that do not mention www in their URL but they do at least have two or more dots.I'm not sure about testing for "com". There are lots of English words that have the letters "com" in them. A quick search of /usr/share/dict/words for "com" reveals 543 words. Examples: becoming, forthcoming, outcome. All of these words would make at least usable legitimate passwords, or parts of good passwords. As for mentioning specific examples of commonly scammed sites, "ebay", "paypal" and "amazon", I worry that would be difficult to maintain because the list of potential scammed sites is very long and constantly changing. Also, the word "amazon" would make a legitimate password, or part of a good password.The "spoofURL" warning message is excellent because it mentions the context that the warning might appear in, ie after clicking a link in an untrusted source such as unsolicited email. It says what is wrong with the link (resembles one web address but direct you to another) but I think it could be clearer. For example, it could say "Mozilla thinks the link you have clicked on may be a fraud". The word "formatted" is jargon that may not be very meaningful to some users, especially inexperienced users. It might be a good idea to state the real address (eg bad.site.ru) and say something like "if this is not what you are expecting then you should check with your provider before you proceed."If the message were in a confirmCheck dialog then perhaps it should say something like "If you are sure you wish to proceed, click Continue. Otherwise click Cancel (recommended)." This would borrow from the style of some MS dialogs where they give options and it says which one they advise the user to choose.Here is suggested modified spoofURL code:+spoofURL=Mozilla thinks the link you have clicked on may be a fraud. It is actually a link to the web address '%S'. If this is not the web address you were expecting, you should check with your service provider before you proceed. If you received this link from an untrusted source such as unsolicited email you should exercise extreme caution before entering personal details such as login or passwords. If you are sure you want to continue, click Proceed. Otherwise click Cancel (recommended).There is a related issue here to do with users that don't read dialogs. Unfortunately we are not the only browser. If Mozilla refused to load the address, as I advocated earlier, an uncomprehending / stupid user would assume Mozilla is broken, which it isn't, and then switch to a dumber browser, which would be a disaster! So I think the best we can do is offer a dialog for users who do read dialogs, and then we can say we tried. :-)
Oh no. I'm sorry, my posting doesn't seem to be newlined properly. Apologies everyone, here it is again. I hope it works properly this time. Thanks for your patch, Adam. First of all, I apologise for posting comments after your comment #79 without reading your code! The patch is great. It certainly addresses the issue raised by this bug as it stands. My comments are: I was confused initially by the "if (dubiousness > 1)" test. At first I thought it meant no dots are allowed but then I realised it means one dot is allowed. For readability please could you change that to "if (dubiousness >= 2)"? I think it would be a good idea to also check for dot-like characters such as comma and dash. Something like: +if (*iter == '.' || *iter == ',' || *iter ==';' || *iter == '-' || *iter == '_') + numDots++; This is because scammers might try to work around Mozilla's detection by using non-dot separator characters. I would think there is something strange about "ebanking-abbeynational-co-uk" but naive users might not notice. The patch checks for the presence of "www" which I think is good. There are no words I know of that contain "www" so that seems a pretty sure sign of a fake URL. I know of some potential victim sites that do not mention www in their URL but they do at least have two or more dots. I'm not sure about testing for "com". There are lots of English words that have the letters "com" in them. A quick search of /usr/share/dict/words for "com" reveals 543 words. Examples: becoming, forthcoming, outcome. All of these words would make at least usable legitimate passwords, or parts of good passwords. As for mentioning specific examples of commonly scammed sites, "ebay", "paypal" and "amazon", I worry that would be difficult to maintain because the list of potential scammed sites is very long and constantly changing. Also, the word "amazon" would make a legitimate password, or part of a good password. The "spoofURL" warning message is excellent because it mentions the context that the warning might appear in, ie after clicking a link in an untrusted source such as unsolicited email. It says what is wrong with the link (resembles one web address but direct you to another) but I think it could be clearer. For example, it could say "Mozilla thinks the link you have clicked on may be a fraud". The word "formatted" is jargon that may not be very meaningful to some users, especially inexperienced users. It might be a good idea to state the real address (eg bad.site.ru) and say something like "if this is not what you are expecting then you should check with your provider before you proceed." If the message were in a confirmCheck dialog then perhaps it should say something like "If you are sure you wish to proceed, click Continue. Otherwise click Cancel (recommended)." This would borrow from the style of some MS dialogs where they give options and it says which one they advise the user to choose. Here is suggested modified spoofURL code: +spoofURL=Mozilla thinks the link you have clicked on may be a fraud. It is actually a link to the web address '%S'. If this is not the web address you were expecting, you should check with your service provider before you proceed. If you received this link from an untrusted source such as unsolicited email you should exercise extreme caution before entering personal details such as login or passwords. If you are sure you want to continue, click Proceed. Otherwise click Cancel (recommended). There is a related issue here to do with users that don't read dialogs. Unfortunately we are not the only browser. If Mozilla refused to load the address, as I advocated earlier, an uncomprehending / stupid user would assume Mozilla is broken, which it isn't, and then switch to a dumber browser, which would be a disaster! So I think the best we can do is offer a dialog for users who do read dialogs, and then we can say we tried. :-)
>Here is suggested modified spoofURL code: that text is _way_ too long. very few users will actually read it (even fewer than would normally).
The reason we have standards on the web is to promote freedoms. Warning a user when they visit any url is against the goal of standards and freedoms. Mozilla is then imposing it's version of what is right and what is wrong. This is not the job of Mozilla. This is the job of the standards body. One of Mozilla's shinning attributes is that it follows the standards very carefully. Any attempt to analyze urls for "fraudulent" urls is self defeating and can put mozilla in a position to be sued for libel. Because if I ran a huge site and a new version of Mozilla came out that was warning my users that the site might be fraudulent then I would be in a position to sue The Mozilla Foundation for libel. I strongly urge against this course of action. For a more reasonable solution please view Comment #109 and other suggestions that propose long term solutions to this problem by having better GUI interfaces for recognizing what site you are at.
> The reason we have standards on the web is to promote freedoms. No they're not. They're to ensure interoperability, they have nothing to do with freedoms. (Free software has a lot to do with freedoms, but free software and standards are completely unrelated.) > Any attempt to analyze urls for "fraudulent" urls is self defeating and can > put mozilla in a position to be sued for libel. Opera does this, and hasn't been sued for libel. I seriously doubt Mozilla would be. It already says "Warning you could be being watched" for a number of things, such as searching on google, as have almost all browsers for almost a decade, and nobody has been sued for libel. Let's please stay realistic here.
Re: Peter Kroll's recent message. Furthermore, the standard is flawed. Allowing these kinds of URLs was fine a few years ago. Today, however, it creates a security hole ever more commonly exploited. The Mozilla Project does need to honor standards. Yet, when the purpose of a certain standard is no longer relevant, or is outweighed by other concerns--such as security--then we have to react to the changing real world conditions. I'm in favor of fixing this bug.
Interoperability has everything to do with freedoms, specifically the freedom to choose a provider of computer programs. And Andrew Hagen is right: just because something is a standard doesn't mean it's safe. TFTP is a standard, but it has security holes. SSH version 1 is a standard, but it has security holes.
I am still strongly against a pop-up or dialog box as the only alerting method. If a user regularly visits a site which includes username/password information, they will soon grow tired of the alerts and simply turn them off. If we don't allow the option to turn them off, then it will just seriously annoy/irritate them. Once a user turns off the alert, they'll no longer have any indication that something might be wrong when they visit a spoofed address. Therefore users who regularly visit URLs that yield false positives, will reap virtually no benefit from the patch. Colorizing the user:password portion of the URL won't affect real estate, and won't prevent copy/paste of the URL. It will, however, be a constant but inobtrusive visual indication that the URL is not "normal." It also isn't subject to a scammer engineering their URL to bypass Mozilla-specific "dubiousness" tests. I personally feal the dialog box is a futile effort, however, if it is going to be used, please leave a way to easily disable it and please still consider displaying the user:password portion of the URL in a different color.
RE: Cory Jaeger's Message > Colorizing the user:password portion of the URL won't affect real estate, and > won't prevent copy/paste of the URL. It will, however, be a constant but > INOBTRUSIVE visual indication that the URL is not "normal." (emphasis added) The same reason you like your idea is exactly why it would be utterly useless. If it is not obvious and/or obnoxious it will be easily ignored. Dialogs may be annoying, but they grab your attention like nothing else will. If you wish to disable the dialog, there should be a checkbox within the preferences (not on the dialog itself, too easy) - buried deep enough that only those that know what they're doing would find it. This may seem like nasty medicine to some. However, we must remember that Mozilla is now gearing itself towards the general public. The general public often does not know what they are doing. Therefore, we must deal with a little annoyance for the good of the masses/newbies.
Attached patch Patch — — Splinter Review
Here is a patch based on the earlier prototype. I've taken into account some of the comments about it and it now checks for dot-like chars as well. I have also tightened the string checking by looking for a dot-like char before the com and before or after the common scam names to reduce false positives. I know paypal, ebay etc. are not the only victims of scams, but they must represent a good 80% of them. The dialog wording has changed although I do not say "fraud" anywhere because the simple fact is we don't know if the site is the fraud. We can guess but we don't know. I also don't display the URL - scam URLs can be massive with embedded non-printable chars (or escaping) so it would be pointless to shoehorn it into a common confirm dialog when it will make it the width of the screen. It would be nice to have a dedicated warning dialog (like the popup killer) with the URL broken down into pieces, nice scary graphics etc. But I consider this a good first step, ready for review. Please move general debate about the whys and whatnots of scam detection out of this bug please.
Attachment #136315 - Attachment is obsolete: true
> If it is not obvious and/or obnoxious it will be easily ignored. Dialogs may be > annoying, but they grab your attention like nothing else will. If you prevent sites from spoofing, then there's no need to "grab the user's attention", and even users who ignore dialogs will be protected.
adam: Two comments: First, the spoof checking seems incredibly overcomplicated. Can't we just search for dot-like characters and the moment we find one, assume it's a problem case? Second, the warning is to long. I don't have a suggestion on shortening it, really, but more than two sentences is just too long, and nobody will read it, even if it says "please read this carefully". (I've seen users who, upon seeing the alert "This file name already exists. Please chose another." or similar, turn to me and say "help!" without even reading the message.)
how about changing the dialog to Yes/No and the message to the following? Mozilla thinks the link you have clicked on may be a fraud: it is actually a link to the web address "%S". Are sure you want to continue?
I *still* think that the best (and least obstrusive in many ways) is to *display* the domain in the actual URL in the URL bar this way: (server.com) http://user:pass@xxx.yyy.zzz.www.server.com/path... *Please* remember that the actual the problem is that the user don't *see* "http://www.server.com" etc. It's *equal* bad from the user's point of view if he goes to "http://www.bigfraud.com" as to "http://user:pass@xxx.yyy.zzz.www.bigfraud.com/path...", but we still don't try to solve/help the user with the "http://www.bigfraud.com" case !! So, to reiterate, we want to be sure that the user is as clear where he is as if there were "http://www.server.com" in the URL bar. And I think we are with this solution.
I suggest changing the dialog verbage in the patch to the following: "The link you have clicked on has been formatted to look like one URL but direct you to another. You should exercise extreme caution before entering any personal information such as passwords or credit card information.\n\nTo protect your security, Mozilla suggests that you click Cancel." Other thoughts: - Cancel button must have focus by default. - Remove the do-not-show checkbox, it makes it too easy for fools to dismiss the dialogs. The option should be in the preferences, as I have stated before. - If the user clicks Cancel, display a "Page load cancelled by user" message within the browser. This lets the person know that they chose to stop the page load, that it is not a problem with Mozilla.
>Mozilla thinks the link you have clicked on may be a fraud: it is actually a >link to the web address "%S". Are sure you want to continue? Yay! Well done, Louis Bennett. That is brilliant. I'd certainly like to see that message in Mozilla.
Comment #140 (server.com) http://user:pass@xxx.yyy.zzz.www.server.com/path... this is the most sensible/benefitial/simple solution available. it's not annoying and it's obvious to users. when you add the pro vs the cons this may be the best solution for a 1.7 or 1.8 time frame. because it's not a major GUI change. (server.com) can be shown for all urls in the location bar, but have it not selectable. so that people still get the same functionality of copying and pasting the url from the location bar as they do now. example: the names would not be shown it's just so i can textually show you what I mean. the favicon is not currently selectable and would remain unselectable. the host would be new and would be unselectable. the url is as usual and is selectable. fav host selectable url M (server.com) http://www.server.com/dir/page.html
> (server.com) http://user:pass@xxx.yyy.zzz.www.server.com/path... > this is the most sensible/benefitial/simple solution available No. See comment 68, 2d).
Ben. I agree #68 2d) is the simplist fix. And it's far better than a dialog box. My personal opinion is the proper fix will eventually show the host name. I dont want to get off topic, but some solutions in this bug are attempting to have mozilla police the internet. I think the best solution solves this problem without policing. If Mozilla gets involved in policing we should filter unencrypted post data whenever a 16 character field is sent that starts with 4 or 5 cause it's likely a Visa or Mastercard number.
Adam Lock wrote in comment #136: > I do not say "fraud" anywhere because the simple fact is we don't > know if the site is the fraud. We can guess but we don't know. True. But Louis Bennett's suggested wording in comment #139 is "Mozilla thinks it *may be*". Not "*it is*". In my (unscientific) 'wife test', Louis' dialog wording seemed to get the message across immediately. All other dialog wording suggestions, including mine, did not do so well. > I also don't display the URL Yes. I think that's a really good idea.
I must be really dumb, but it seems to me that rfc2616 doesn't allow usernames/passwords in http uri: 3.2.2 http URL The "http" scheme is used to locate network resources via the HTTP protocol. This section defines the scheme-specific syntax and semantics for http URLs. http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] so they could be just stripped away (at least for http,https)
No-- RFC 2616 defers to RFC 2396 on URL syntax in section 3.2.1: "For definitive information on URL syntax and semantics, see [...] RFC 2396". And RFC 2396 does allow for "<userinfo>@..." in the URL.
Since this is closely realted to this problem, Ive copied/blatantly-ripped portions of RFC 2396 for your inspection. For those who would care less, I am sorry for the bugspam. Full spec available at: http://rfc.sunsite.dk/rfc/rfc2396.html RFC 2396 URI Generic Syntax August 1998 Berners-Lee, et. al. Standards Track [Portions of Pgs. 13-14] 3.2.2. Server-based Naming Authority URL schemes that involve the direct use of an IP-based protocol to a specified server on the Internet use a common syntax for the server component of the URI's scheme-specific data: <userinfo>@<host>:<port> where <userinfo> may consist of a user name and, optionally, scheme- specific information about how to gain authorization to access the server. The parts "<userinfo>@" and ":<port>" may be omitted. server = [ [ userinfo "@" ] hostport ] The user information, if present, is followed by a commercial at-sign "@". userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," ) Some URL schemes use the format "user:password" in the userinfo field. This practice is NOT RECOMMENDED, because the passing of authentication information in clear text (such as URI) has proven to be a security risk in almost every case where it has been used. The host is a domain name of a network host, or its IPv4 address as a set of four decimal digit groups separated by ".". Literal IPv6 addresses are not supported. hostport = host [ ":" port ] host = hostname | IPv4address hostname = *( domainlabel "." ) toplabel [ "." ] domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum toplabel = alpha | alpha *( alphanum | "-" ) alphanum IPv4address = 1*digit "." 1*digit "." 1*digit "." 1*digit port = *digit Hostnames take the form described in Section 3 of [RFC1034] and Section 2.1 of [RFC1123]: a sequence of domain labels separated by ".", each domain label starting and ending with an alphanumeric character and possibly also containing "-" characters. The rightmost domain label of a fully qualified domain name will never start with a digit, thus syntactically distinguishing domain names from IPv4 addresses, and may be followed by a single "." if it is necessary to distinguish between the complete domain name and any local domain. To actually be "Uniform" as a resource locator, a URL hostname should be a fully qualified domain name. In practice, however, the host component may be a local domain literal. Note: A suitable representation for including a literal IPv6 address as the host part of a URL is desired, but has not yet been determined or implemented in practice. The port is the network port number for the server. Most schemes designate protocols that have a default port number. Another port number may optionally be supplied, in decimal, separated from the host by a colon. If the port is omitted, the default port number is assumed.
Yes, I looked at rfc2396 before sending my comment, specifically the introduction: "This document defines a grammar that is a superset of all valid URI, such that an implementation can parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier type. >>>>This document does not define a generative grammar for URI; that task will be performed by the individual specifications of each URI scheme.<<<<"
And if you look at rfc2616 where it references rfc2396 it says in section 3.2.1: This specification adopts the definitions of "URI-reference", "absoluteURI", "relativeURI", "port", "host","abs_path", "rel_path", and "authority" from that specification. and the specification of "host" in rfc2616 (section 3.2.2) doesn't include a "userinfo", that's the definition of "server".
RFC 2616 describes the HTTP-protocol, NOT HTTP-uris. RFC 2616 delegates that to RFC 2396 or to RFC1738 which has a specific section about http-uris. In my opinion RFC 2616 just defines a "simple" version of http uris as it was needed to explain the http protocol. RFC 2396 is the definitiv resource for URIs and RFC 1738 makes clear that username:password is possible (Section 3.1): ... While the syntax for the rest of the URL may vary depending on the particular scheme selected, URL schemes that involve the direct use of an IP-based protocol to a specified host on the Internet use a common syntax for the scheme-specific data: //<user>:<password>@<host>:<port>/<url-path> Some or all of the parts "<user>:<password>@", ":<password>", ":<port>", and "/<url-path>" may be excluded. ... And section 3.3: ... An HTTP URL takes the form: http://<host>:<port>/<path>?<searchpart> where <host> and <port> are as described in Section 3.1. ...
Peter, re: freedoms and standards, read "Code and Other Laws of Cyberspace". In cyberspace, code is analogous to law (because it defines the behavior of the program), and standards are analogous to comon law and/or social norms. If we do stupid things, like create browsers where every link could say one thing and do another, then we've created a fraud-ridden world. The internet as achitected, does inherently promote some types of freedom, but that does not exclude it from having elements of thoughtless design. -- That being said, I'd like to propose the following: 1- Get a dialog box checked in that flags only the worst kind of spoofing. 2- See what the reaction is into 1.7a. THEN debate this further, perhaps in a followup bug. I know this bug is long, but the posts increasingly reflect a lack of having read the previous posts. "HTTP doesn't have username in URLS" - it does. Seach Networking:HTTP for "@" "I don't think this is a serious security threat" - you can find stories of citibank spoofing in news.com "How can we colorize the URL?" - please move that to another bug! In a perfect world, I would have written more URL documentation to discuss the basis of this, but instead, I need to simply insist that we stop having certain threads that are not relevant. One last relevant comment. If a user gets a dialog, and then says "don't show me again", then that means either: 1- We warned them this was a problem, and they understand how to spot this and not get spoofed. 2- They decided they just didn't want to be bothered, and they want to go through life at an level of unsafety that the other browsers offer. One relevant comment: But by having the dialog, I think we have fulfilled our obligations of caring for their security. I think the other standard dialogs that we pop-up for security, actually are bad dialogs, and potentially should be removed, because they come up too often, and "cry wolf". I think we have established that very few legitimate sites use urls that would trip this dialog.
benc, Ill look into reading that book, next time I make a book purchase. Just a note, I have read all the comments in this thread. It's hard to remember them all because there are so many. I think dialogs are disruptive. They are good in some circumstances, but usually not a good way to give education. Good for things like hostname not found. Why not use the status bar to give a message? Spoofers have to host their website somewhere, what's to stop them from registering update-paypal-info.com How is this dialog going to HELP stop people from being victimized. Answer is a dialog won't. This is just a way to clear peoples conscience as many have mentioned: "At least we've done our part" This bug addresses larger issues than warning for username/password in url. Question: How will Mozilla 2.X be different from 1.X? Maybe we should think up a smart and intuitive interface where people can't be confused as to where they are. Otherwise, as the months pass we will just be adding more and more dialogs till people are just as annoyed with dialogs as with popups. This bug and it's discussion has raised a lot of issues. The dialog that comes up the first time a user sends unencrypted data is just as stupid as a dialog for this issue. We have a lock icon, we don't need a dialog. And if we had an extra spot for hostname we wouldnt need a dialog for this issue. Maybe we should put those GUI items near each other and have a trust rating. 1 to 5, kind of like the terrorist threat level. And when people visit a site a trust level is determined. This way banks can follow all the rules make sure they have a 5 for trust level and users will only enter their banking/credit card information there. Have Visa and Mastercard digitally sign domain names that should be accepting credit cards and let that information be shown through mozilla. This kind of thinking will make mozilla a secure browser to use for online commerce and make it a recommended choice by banks and such. Hopefully you can see I'm really trying hard to come up with an idea that will actually solve this problem, not just annoy people with more popup dialogs.
"Why not use the status bar to give a message?" First, most users are not technical. They do not look at the status bar. When they do, they do not know what it is. Second, there is no status bar in full screen mode (kiosk mode) (F11). Like the man said, let's put a dialog box in 1.7a and see how many bellyaches we get.
Blocks: majorbugs
Interesting: M$ plans to update the IE Microsoft plans to release a software update that modifies the default behavior of Internet Explorer for handling user information in HTTP and HTTPS URLs http://support.microsoft.com/default.aspx?scid=kb;[LN];834489
User-level workaround : I followed this bug for quite a long time and finally settled on a non-intrusive way to warn users even before they click on such links, by styling those links to make them stand out of the page. The result - see screenshot - is of course perfectible, but already sufficient to alert users. To do this, I just added the following 2 lines to my userContent.css : a[href*=".com@"]:before { content: url(http://lxr.mozilla.org/seamonkey/source/themes/classic/global/win/icons/alert-exclam.gif?raw=1) } a[href*=".com@"]:after { content: " [ Warning : this link could be an attempt to mislead you. Please exercise extreme caution if you decide to click on it ]" } (and so on for .com&, .net@, .net&, .org@, .org&) Note : a tooltip on the warning sign would be nicer, but I don't think it's possible using CSS alone. However, Mozilla could of course implement that more elegantly (Credit : inspired by http://www.squarefree.com/userstyles/userContent.css.txt)
Given that Microsoft plans to update to IE to complete do away with ALL HTTP/HTTPS AUTH, rather than attempting to sanity check them in any way, all I have to say is TFB to all your whiners who complained about how my original idea in the bug report to only care about .'s in usernames because it might inconvenience a dozen users at some obscure site or another using HTTP AUTH that's dumb enough to have usernames with dots in them. Mozilla should now just follow suit and disable ALL uses of HTTP AUTH in the browser because standard or not, now that MS is obsoleting it, the few remaining sites legitimately using will cease soon enough when they have the first reports from IE users with the patch that it no longer works and they realize MS will no longer support it. Of course I expect in reality that Mozilla will continue to do nothing, as those same whiners that obstructed anything constructive being done, like Adam's patch that apparently was never considered by anyone with any power in the Mozilla organization to do anything about it, to continue to whine about how Mozilla should continue to support HTTP AUTH anyway, because it is the "standard", even though only sites used where no users use IE would continue to use the brain-damaged HTTP AUTH option from this point on. Thus insuring that not only did Mozilla not take the leadership on this issue, despite my bug report being filed TWO YEARS AGO TOMORROW, it will probably remain for quite a while as the only browser still vulnerable in all its versions to the phishing scams. I'm sure those will go on for quite a while since there will be enough vulnerable versions of IE out there for several more years. No wonder Mozilla never went anywhere, people were too worried about stupid **** like themes and support for stuff no one uses like SVG and MNG, instead of worrying about things that will benefit the average end user. Mozilla should just give up any illusions it is for the average user, and just content itself to be a geek browser for people who are already too smart to fall for such scams, and those of us who got their friends and parents to use it when they had one too many bad experiences with IE can send them Opera's way instead since even though it is closed source and costs money, they actually seem to care about their users. I will probably get flamed for this, maybe even kicked off bugzilla, but I really don't care. I'm just so disappointed and disillusioned by the whole thing I probably won't bother to ever waste my time contributing bug reports to Mozilla again anyway.
Re comment 159: Please remember is that the vast majority of the people commenting on this bug don't represent Mozilla any more than you do. Adam is capable of requesting reviews for his patch and moving it towards checkin if he wants to. (Warning the user seems like a good idea to me, and sufficient for a significant portion of Mozilla's users, although I'm not sure if the criteria need to be as complicated as those in attachment 138901 [details] [diff] [review]. But that's not really relevant...)
This really is a tough bug. Microsoft is ridiculous. They might has well have made their third workaround: 3) Use Mozilla Correct me if I'm wrong but Mozilla is not as susceptible to this type of spoofing because it correctly places a / when no path information is given. As per the standard. So in IE you can have this listed in the address bar: http://www.yahoo.com In Mozilla it always gets listed as: http://www.yahoo.com/ So if you see a url: http://www.bankofcanada.com________:safjklasfjqwfwqiojajlziojez@gotyourmoneyspoofer.com Then you know that www.bankofcanada.com is not the host because the host is always followed by a / in the standard and in mozilla. I don't mean to imply that people still aren't fooled. But some education on the users part is required. I got 6 MyDoom viruses before I manually updating Norton, I had to use my own brain to figure out they were viruses. Maybe someone should submit an RFC to change the URI syntax to not allow w and . in the username. Microsoft isn't fixing anything. Half the Internet still surfs with a pre IE6 browser. I defintely sympatize with slice1900 it's been 2 years something should be done. I'm not the leader here I just suggest ideas, even if some are out of the (dialog) box. We need the leader to make a decision and I'll live with it. On a personal opinion note. I need to stress again that username and passwords are embedded so that dialogs are not prompted.
I completely agree with slice1900. There are at least two patches listed on this bug, both of them would be better than the status quo. Note that MS hasn't disabled HTTP Basic Auth, they've just disabled that part of the URL syntax which permits usernames to be sent as part of the URL. That's probably a third patch that should be considered in light of recent news, even if it was considered too drastic earlier. Two years is just stupid. Like, *completely* stupid. Any reason why the 2004-01-12 patch listed above can't be committed *today*?? If it's less than completely optimal it can always be changed later, but two entire years with a known-broken status quo is just abysmal.
A lot of people are missing the point here. The problem of hiding part of the url has been fixed, mozilla now always shows the entire url of the site they are viewing or will view if they click a link. This bug is currently about helping the user understand what site they are on when the url is somehow obscured. This doesn't fall into technical bugs, it falls into social engineering, together with mailing users and *asking* them for their creditcard number (which btw works just fine). This doesn't mean that we can't or shouldn't do anything about it, but it does mean that we have to change our way of thinking. Most users won't know to look for /'es or @'s or any other character. Actually, most users will even fall for urls such as: http://www.paypal.com.evil.com/, heck even http://www.paypal.evil.com/ would probably fool a lot of people. Especially if you add a lot of crap afterwards so that you just skim over it. No url-evilness-heuristics will be able to detect an url like that (sort of rejecting any urls from "evil.com" of course ;-) ). The only thing we could do is to emphasize the two last sections of the domain-name, i.e. 'evil.com', somewhere where the user can clearly see it. Either by marking that part of the url in urlbar itself, or displaying it in a separate section somewhere in the UI.
Emphasising the last two elements of the domain name is no good -- unless the entire useful part of the Internet is in the US. I can't see that it'd be useful for Mozilla to hilight "com.au" or "ac.uk" at the end of long URLs :-) Just to reiterate: there are two patches above which have been extensively discussed, which address the social engineering aspect of the problem, which are better than the status quo, and which have not been committed. Is there any reason why one of them can't be committed *today* ? Two years is just embarrassing. - mark
Re comment #163 and comment #164, a URL ending in .com does not indicate that it is a site in the USA. However, a URL ending in .us does indicate that it is a site in the USA. e.g. www.revenue.state.nh.us is a valid site name, and in this case is used by the Department of Revenue in New Hampshire, USA.
Just to add to the previous comments, I know a number of .nz servers are operated by nz companies but physically hosted in the US for bandwidth reasons. I imagine the same goes for a number of other country TLDs
slice: the important thing is what we are going to do today and tomorrow. Not many people have been affected by this attack, but it remains (IMHO) a serious form of spoofing. If you simply have lost patience, close this bug, and I'll re-file, so you don't keep getting the bugmail. jonas: really long domain name spoofing has always been a problem, but it appears that existing enforcement mechanisms have kept this limited. For one thing, a hostmaster is direcctly on the hook for the contents of the subdomain, if they refused to correct the situation, their delegation to their domain could be unplugged. It is also a clear violation of trademark, so the law firms hired to protect this jump on violations immediately. The spoofing here is more complicated, because the spoofer points to a URL, and web page ownership of often much harder to establish (for example, the system could be hacked).
Jonas makes some really good points. This is a social engineering issue and none of the solutions suggested will actually put the spoofers out of business. The only way you can beat the spoofers is through education. We can teach everyone how to parse the URL how it's defined in the RFC or we can clearly place the hostname somewhere seperately and educate people to enter information only at hostnames that exactly match what they are accepting. Even that won't stop all the victims of spoofers. Some people are gullible and will fall for anything. Reality check: Nothing we do here will make a big impact on spoofers. Mozilla has a small user base and is used by mostly literate computer users. Spoofers go for the stupidiest people. Which is why they spam people using AOL and Hotmail. Cause a huge percentage of the least computer literate people are customers of those companies. On the MS issue. They are probably making the url return a syntax error so that they don't have to fix this issue by getting rid of the stupid frame on external hotmail links.
>exactly match what they are accepting. exactly match what they are expecting. I shouldn't post when I'm tired. Sorry for the spam.
Blocks: 232560
*** Bug 232567 has been marked as a duplicate of this bug. ***
A little question about the MS-"solution" I just wanted to add to Bug 232567. What about URLs like: ftp://www.mozilla.org:advdfbdfndfn@evil.com/evilpage.html The user may still think he's at mozilla.org. OK, it's a ftp URL so some might recognize the trick, but for sure not everybody will. IMHO by removing support for http URLs with username/password they are only moving the problem to another place. just my 0.02¤
FYI, bug 228524 shows experimental code which displays only the hostname (and SSL cert owner) in the toolbar.
I'm sure we will get this bug resolved now that Microsoft has given us a reason to do it. :-) RFC 1738 says that the user:pass part of a URL "may be excluded". If we could go back to December 1994 and say, "hey, Tim, there's a hole" he would say, "okay, better make it very excluded." :-) Being able to put user:pass in a URL was great in 1994 but it's not suitable in today's world. It's had it's day, it's done it's stuff, let's give it a nice present as a parting gift and move on folks. Just dropping it is simple, it's bulletproof, it'll unblock a bunch of bugs, and it's low-bloat. :-)
FYI, what MS does is wrong. They claim (to the user even!) that these URLs are syntactically invalid, which is just plain wrong. They probably just were lazy and completely dropped username/pw-support from their URL parser. This isn't necessary at all. The *only* problem with the spoofing is the *display* to the user, not the processing. Only when it's displayed can it confuse the user. It's enough to change the display to remove the problem. There are many possible solutions: - don't display username/password at all in urlbar (and maybe statusbar) - crop username after 5-8 chars (e.g. "joe.u...@mysite.com" and "www.m...@123.123.123.123") - escape dots ("www%2emicrosoft%2dcom@123.123.123.123") - a warning dialog in very suspicious situations
I use the http://user:pass@host/ syntax a lot for perfectly legitimate reasons. And I copy URIs from the location bar all the time, expecting them to round trip. Neither of these use cases should be broken IMHO. Escaping the dots solves the problem without breaking anything. That, to me, seems like the superior solution. It's also remarkably simple.
I could not agree more. Ben is right in the sense it's only a display problem, and escaping the dots seems has no drawback IMHO. So does someone vote against this proposal ?
The problem with just escaping the dots is that the user may have gotten the URL from elsewhere, and may not check the URL bar after visiting the link. For example, if they click on the link from a scam email, believing it's a link to eBay they're clicking on, the email app won't display the URL with dots escaped, and a user may not check the URL bar in their browser to make sure they are going to the right place. Further, by the time the page has loaded the damage may already be done; for example if the scam site is stealing cookies in a cross-site scripting attack, or exploiting a future bug in Mozilla. I think a user needs to know what site they're going to before Mozilla loads the page. A cleaner way to handle this would be to display a password dialog the first time a user visits each URL with a username and/or password in it. The dialog could simply say "The site www.shadysite.com has requested that you log in.", with a spot for username and password below. If they are provided in the URL, they are filled in. After the user has confirmed this once, it will not prompt again in that session (much like HTTP auth dialogs work). Confirming once shouldn't be annoying, it clarifies to the user the site they're going to before it loads, and it's not something that most mainstream Web sites use, so a user would be surprised if they visited a link they thought was to eBay and this dialog came up (hopefully making them read the dialog). Much of this code must already exist, since we can prompt for username and password for HTTP AUTH, and track the information appropriately.
I vote strongly in favor of Scott's suggestion in #177! A username of www.ebay.com in this dialog should be a good tip-off to a user that something fishy is going on. That plus it allows the removal of the user/password from the URL in the address bar if one chooses (hiding user/password in the URL bar could be an option the user can set via prefs.) If the user also has the option of having Mozilla remember the user/password like they do for simple auth, then it makes it a real non-issue for the end user. One final change could be made that compares the user/password passed in the URL to one saved by the password manager. If they match, don't display the dialog (since we can assume if the user/password is in the URL that is the user/password they intend to use.) They would see the dialog a couple of times until they decided to check the "Use password manager to remember these values." box. IMHO, this is the most elegant solution I've seen yet without forcing us to read the user's mind or the mind of the web site operator.
(In reply to comment #177) > A cleaner way to handle this would be to display a password dialog the first > time a user visits each URL with a username and/or password in it. The dialog > could simply say "The site www.shadysite.com has requested that you log in.", > with a spot for username and password below. If they are provided in the URL, > they are filled in. After the user has confirmed this once, it will not prompt > again in that session (much like HTTP auth dialogs work). Confirming once > shouldn't be annoying, it clarifies to the user the site they're going to before > it loads, and it's not something that most mainstream Web sites use, so a user > would be surprised if they visited a link they thought was to eBay and this > dialog came up (hopefully making them read the dialog). Much of this code must > already exist, since we can prompt for username and password for HTTP AUTH, and > track the information appropriately. yes, this would be trivial to implement. i'm not sure it is what we want to do, but it could certainly be easily done.
I'm torn up about this... I'm interested in seeing us not breaking parts of a long standing standard but here are some thoughts on my mind... For "valid uses" of this syntax there isn't there a certain expection of security around people put authentication on a host? If users are storing and passing around "user:pass" portions of http://user:pass@host/path-directory-or-file aren't they violating that expectation of security... Sure it makes things easier, but are we weighing this "easy of use" against the pitfalls and side effects storing and passing around user:pass@host combinations in clear text, in addition to the other part of the "invalid/spoofing uses". I've used this myself, and also set up servers to offer this as "weak security" to provide a minimal level of security protection. Maybe it's time for "minimal security access" systems to be rethought... I'm not sure if I understand the reasoning and rational for new dialog boxes that prompt if the URL looks fishy... don't we still prompt for user name and password when a user hits http://host/path-directory-or-file when authenication is set up? If we disallow or remove "user:pass" we already have a dialog system that we can use.
re: comment #180 The username and password is sent cleartext even if it is entered in the dialog box. The only difference is that it appears in the URL bar and history. If a web designer is actually seriously concerned about security, they shouldn't use simple auth anyhow. As far as already having a dialog goes, I agree.. we already have one we can use. I'd like to see the developers use the suggestions in #177 and #178 for (hopefully) a quick but comprehensive fix. Using the dialog doesn't make any statement that a site is "evil" and doesn't require Mozilla to decide if sites are bad or not (which, IMHO, it shouldn't be doing anyhow.) It will work regardless of the visibility of the status bar or URL bar. It should be minimally invasive (possibly less so than normal use of simple authentication.) It won't be easy for the bad guys to trick or work around. And it shouldn't require constant updates to combat new tricks. In short it seems to be a great solution to me.
I still don't understand why we couldn't simply remove the username:password part of the url when displaying it in the urlbar. We don't display username and password there when the user logs in the normal way. And for good reason too, i wouldn't want someone looking over my shoulder to be able to see what password i've used. And the same somewhat applies to the username. I will still be able to modify the url in the urlbar to go to a different place in the website without having to re-login, for the same reason that i can when the username/password were entered through a dialog rather then through a url. This could also fix bug 130327. Yes, it will break partially break Ians second usecase from comment 175; if you copy the url and restart the browser then you can't simply paste the url to get automatically logged in. However this is a security over feature concern, even if we escape dots users will be fooled by urls like http://www_microsoft_com%20lotsofcrufthere:passwd@evil.com. And when displaying the url in the statusbar we could display: http://evil.com/ (username="www_microsoft_com lotsofcrufthere" password="passwd"). That value won't ever be copied or edited or parsed anyway.
> FYI, what MS does is wrong. Perhaps what MS is going to do is partly right but as usual just not quite. What they mean is, "Sorry, the syntax is not supported for security reasons." Remember psychology. A lot of what we perceive is what we expect. We're talking about a situation where someone believes they have correspondence from someone they trust. What we see is coloured by expectation. Plus untrained users have learned that computers cry wolf all the time. I think MS has correctly IMHO worked out that once someone has started down that path some seriously strong medicine is needed, and display hardly comes into it. > This isn't necessary at all ...from a technical point of view, but it might be from a human-computer interaction point of view. Besides, from a technical point of view, it's just an optional part of the syntax and we can resolve the bug by making it even more optional. :-)
(In reply to comment #173) > RFC 1738 says that the user:pass part of a URL "may be excluded". If we could go > back to December 1994 and say, "hey, Tim, there's a hole" he would say, "okay, > better make it very excluded." :-) and RFC 2396 changes the definition of "user:password" to "userinfo" and says that's not recommended to use the "user:password" format in the "userinfo" field, while RFC 2616 says that the "userinfo" part just isn't there in http uri, so for once microsoft is doing the "right thing"(tm) wrt RFCs.
Why not use syntax highlighting in the address bar? Either the foreground/font color or the background color could be used to make the actual domain name clear to the user. For example, the user:password part could be in red, while the domain would be in bold. The first time the user would encounter this type of url, a popup might appear to explain what is going on. The popup would have a "never display again" option...
I think that the news of changes to MSIE does affect decisions on this bug a little. If MS does enact these changes, then this part of the standard will likely fade away in time as I can't see anyone wanting to implement a feature that is not used by the primary web browser. So an opportunity to re-cap on the goal: GOAL: We want to make it hard/impossible for a user to be duped into clicking on a spoof link and arrive that they think is a legitimate site when it isn't. The primary vector for attack is by sending the user an email. A secondary vector would be by a link on a web site. And here are some facts (feel free to disagree, although I have tried to remain impartial and objective here so please only argue if there is a point to be made!): 1). Broadly, all users are at risk of this since all users are able to follow hyper-links. Users at greater risk are those who are less technically aware and/or less security aware. This group represents that majority [of internet users]. 2). There are users who currently make use of this user authentication feature. They are the minority. 3). It would appear that MS has taken the view that removing this feature altogether who make their product more secure for the majority. Where people are using this feature, there are work-arounds. MY VIEW: I think removing this feature now would be premature. If MS removes this feature altogether then it might give Mozilla an opportunity to gain a foot-hold in certain "verticals". However, if we leave the feature in whilst MSIE does not suffer the same "vulnerability" then that might place us on a back-foot. In the real world this probably doesn't represent much risk as Mozilla users are in the main more technically literate than MSIE users (I don't mean that in a disparaging way to MSIE users). Why don't we simply make user-authentication by URL an optional feature? And why don't we have it disabled by default? What I don't know is why and/or how this feature is being used. And I don't know what percentage of the user base this represents. If you use this feature, would you object to it being an option that you need to enable? You'd only have to do it once! If this was acceptable, this would (I think) resolve everything -- all parties would be happy. Surely?! :) ps. Apologies for stomping over previous suggestions re dialogs/modifying the address bar, etc. A week ago I had different opinions, but now, given MS's stance, I think this re-evaluation is a useful exercise.
In the year I have been tracking this bug, the ones from the past few days have impressed me. I am unsure whether the driving force is the age of this bug or Microsoft's decision to axe this type of urls. Just a few (semi-recycled) ideas... 1. Display the server address in the status bar. For example, if the link is to http://hotmail.com@evilsite.net/hotmail then http://evilsite.net/hotmail will be shown in the stausbar. This eliminates the fake garbage added to spoof urls. Coloring the sections of the url is useless, since the spoof logins are too long to show the entire string. 2. Displaying a dialog with the server, username and password. Give the user the info right up front. Even better, put the "Continue" button in a funny spot, to make the user stop and read the dialog. The Cancel/Stop button must have focus by default and be in an obvious location. 3. As I have stated numerous times before, bury the no-dialog option deep within the preferences. The average joe cannot be trusted with permenantly dismissing dialogs. 4. Adding symbol similar to one shown in the "Screenshot of styled page (this page, in fact) - no mockup" attachment. With one change, to maintain the flow of text, make the image height match the height of the text. Clicking the symbol brings up information about spoof urls, and how to tell if the link is legitimate or a fake. 5. Automatic blocking if the link contains the %00&#1; IE exploit. No legitimate site would use this type of link. I thing everyone will agree to this.
> I still don't understand why we couldn't simply remove the username:password > part of the url when displaying it in the urlbar. I frequently type addresses into the address bar including user:pass info and then once i've checked it works, copy it. The above would break that. > [dialog] Opera has a dialog for this. It's quite annoying. I recommend against it. > http://www_microsoft_com:.../ So also escape underscores. Escape anything you have to -- everything except US ASCII, if you have to. > [other sources] [future bugs] Then those other sources are insecure. Let's not try to fix all the world's problems -- fixing our own is enough.
Oh and anothe thing. Dialogs don't work. It is a recognised fact of UI design that real users (those we're trying to "save") have one reaction to dialogs and one alone: get rid of it by any means possible, and under no circumstances read it. So I strongly urge the "dialog" camp to revise their opinion. :-)
[re-use password dialog] > A username of www.ebay.com in this dialog should be a good tip-off to a > user that something fishy is going on. If you are not familar with HTTP auth and just quickly glance over the dialog, you may just read "www.ebay.com" and think "OK, eBay, that's what I expected, why did this stupid dialog come up now? Go away.". For this reason, IMHO any (warning) dialog should *not* display the credentials at all. > while RFC 2616 says that the "userinfo" part just isn't there in http > uri, so for once microsoft is doing the "right thing"(tm) wrt RFCs. Wrong. See comment 148. > from a technical point of view, it's just an optional part of the syntax and > we can resolve the bug by making it even more optional. It's optional in the sense that not every URL must have that part. That doesn't mean that the software may bail, if it exists. > Why not use syntax highlighting in the address bar? Already discussed above. > Why don't we simply make user-authentication by URL an optional feature? > And why don't we have it disabled by default? We have too many prefs already. > put the "Continue" button in a funny > spot, to make the user stop and read the dialog. On the backside of the monitor?
> > I still don't understand why we couldn't simply remove the username:password > > part of the url when displaying it in the urlbar. > > I frequently type addresses into the address bar including user:pass info and > then once i've checked it works, copy it. The above would break that. First of all i think a fairly small part of the userbase does this. Small enough that security of the larger userbase is more important. Second, just copy before hitting enter. Problem solved :) > > http://www_microsoft_com:.../ > > So also escape underscores. Escape anything you have to -- everything except > US ASCII, if you have to. That'd be a bit nasty if we did for all of the url. Though i suppose we could do it only for the username:password part.
If Microsoft wants to drop the userinfo part of the url that is their problem. As long as userinfo is part of the RFCs that describe URLs (and the definitive RFC on that currently is RFC 2396) we do and we should implement it. If MSIE drops the support I would see it as a distinctiv advantage of Mozilla that we still do. Make the url in the status-bar use syntax highlightning that clearly marks potentially dangerous parts or if the link is already clicked, let the page flash with a red background to warn the user or something similar.
(In reply to comment #191) >> >> I frequently type addresses into the address bar including user:pass info and >> then once i've checked it works, copy it. The above would break that. > > First of all i think a fairly small part of the userbase does this. Small > enough that security of the larger userbase is more important. Nice to know you don't consider me an important user... > Second, just copy before hitting enter. Problem solved :) That wouldn't catch the normalising of the URI which is what I'm really after. > That'd be a bit nasty if we did for all of the url. Though i suppose we could > do it only for the username:password part. This proposal has always only mentioned doing it for the username part. Note that this doesn't affect most legitimate users at all, and doesn't annoy or harm or confuse other legitimate users. Only illegitimate users are likely to get in any way confused or worried, and that is exactly what we want to happen.
I also vote for Comment #177. It's very elegant, doesn't add any more types of dialog boxes, behaves like other authentication mechanisms, and informs the user BEFORE the page is loaded. Most importantly, it makes no additonal decisions on whether a URL is valid or not, and does not change other parts of the UI. Although we'd like an 'idiot-proof' environment, as we know, only an idiot would want to use it. This mechanism displays all the information that a user requires to make an informed decision, and uses an already established mechanism. What the user decides to do is up to them. I believe in informing the user, but not babying them. As others have stated above, I believe that fixing this bug is very important to the continued adoption of Mozilla as a viable browser. Hopefully this can happen soon.
Also, given the length of time this feature has been available, realize that taking it out now will result far more negatively than when MNG was removed. Perhaps something can be done for links that come from other programs (like e-mail) but for links that I put in myself, I want the user/pass stuff to be handled and saved properly, even if it doesn't show up in the bar. These types of links are commonly used in academia when it doesn't matter if anybody within the university knows the password; they're used as a crude way to keep outsiders from stealing course content. I've seen similar approaches used in companies providing temporary download sites for customers (and a lot of the time, the username is going to contain a domain-- the domain of the customer) Also, while it might require a slight bit more technical ability for the attacker, a DNS name like www.hotmail.com.some.other.junk.evilsite.com is still possible, so this really won't help the matter that much. I wonder how much extra bloat parsing URLs like this is going to incur. I don't think this is going to help much-- we've got MyDoom running around all over the place, even without really spoofing anything; people open the attachments anyway.
Ben. Good work I agree with your GUI designs and posts. One suggestion is to leave the www. part. GOOD IDEA: I have a good idea that takes from other ideas suggested. Please someone attempt to pick it apart. -We can remove the username:password from the url bar by default. But still allow the information to authenticate as if it were not removed. -This means no functionality or automated scripts would be broken. Regular users to websites will not be disturbed in any way and website owners will remain confident their links will still work. -For those that like to copy and paste the urls WITH the username:password we have a simple boolean option in about:config. This satisfies people who manually enter the information and wish to copy and paste it.
I 've been talking to many people in our company, with web-tech skills varying from very simple web users (like accounters) to really experinecd ones (programmers who are living by rewriting IE in customize some our kiosk products). They all agree if: 1. username/password will be deleted (actually hidden) from being displayed in URL, but... 2. there will be some sort of alert icons, which will be highlighted immidiately if the current URL has a hidden username/password. 3. And like with popup blocking alert icon, if you click on it it will dispaly the username/password if any hidden. Such solution will improve security in two areas: A. it will avoid confusing users by spoofing the actual URL - very important for no-experienced users; B. it would avoid behind-the shoulder guests to read the actually impirtant passwords in the URL string - very important when computer is in the public place. Our IE programmers told that they would create a similar solution for our cutomized IE based browser if the boss would require it. ... ehhh, if only our boss would require to move to Mozilla based customized browser ...
Here is a case we have to deal with: http://ddkg29egb.da.ru/ Turn off popup blocking and visit that site. Imagine you actually followed the following (invalid) URI in your non-Mozilla mail client, which incorrectly normalised the escapes before passing it to Mozilla [1]: http://www.citibank.com:80@%64%64%6b%6729%65%67%62%2e%44%61%2e%52%75/verify Things to note: 1. It shows a legitimate URI in the background. 2. It shows a window in the foreground with no easy way to determine the hostname. The escaping idea, together with putting the hostname in the window caption when the location bar is hidden (much like we put [Javascript Dialog] in dialog captions), would, I think, take care of this case. [1] Actually Mozilla itself is interpreting the escapes in cases like the above in certain cases. If we do those in any cases other than links then that should be filed separately. (It's ok to do it for <a> links since we show the hyperlink unescaped in the status bar.)
(In reply to comment #186) [Warning : potentially offending contents] > What I don't know is why and/or how this feature is being used. Well, see http://www.ultrapasswords.com/ for example :-) > And I don't know what percentage of the user base this represents. If you ask "Who regularly visit porn sites", you might be answered "no-one". But you know Mozilla already is the preferred browser for erotic websites fans. Please note that I don't make any judgement whether getting/distributing passwords to enter X-rated websites is legit or not.
Adam: (per your request in comment #126) Comments on patch: + PRBool isHttp = PR_FALSE; + PRBool isHttps = PR_FALSE; + aURI->SchemeIs("http", &isHttp); + aURI->SchemeIs("https", &isHttps); + if (!isHttp && !isHttps) Are we planning on supporting any scheme that has user:pass? If so, we need to add "ftp:" ? I like what I see, especially the way spoofing is measured as a "dubiousness" value that can be incremented by various evaluations and a threshold (currently <2) controls the usage of a warning. As I've stated in #120, I think we should flag any presence of a "." (or perhaps 2 periods), in other words, anything that could spoof a legitimate FQDN (domain name). The current focus of spoofers is brand name portal sites, but anticipate forged email to attack corporate intranets next (mcom.com, server.mcom.com"). What will it take to check something in? Who needs to approve this, and what level of consensus is needed? Adam, you wrote the patch, do you want to take ownership, and I'll take QA?
IMHO the current patch is way over-engineered, especially considering the arguments against any kind of dialog box (they are annoying and users don't read them, whatever they say), and the proposed alternatives (escape dots in the username and password part, place the hostname in the title bar if the location bar is hidden).
Excellent point. Let's spend another two years talking about it instead of fixing the security vulnerability, eh? That way we can be completely sure that we'll get a 100% perfect fix the very first time, without all that messy stuffing-about with CVS afterwards. Sigh.
*or* we could spend time on half-way implementing features which bloats the code and makes it more bugprone, which will introduce even *more* security bugs. Yeah, that sounds good. No disrespect to Adams patch, it's always nice to see implementations of ideas, makes for a much better discussion.
I have spent the last few hours reading this bug, and there are many ideas in here that I believe would work. As far as the escaping the username and password in the URI idea goes I have an additional comment (Not that I'm advocating this solution as I believe other solutions go further). Surely the *whole* of the username and password could be escaped without breaking anything, and infact leaving things more secure as the over the shoulder password taking would be a lot more difficult. That way an average user *who looks at the addressbar after navigating to a page* will not be fooled by http://www.citibank.com:80@www.evildomain.com as instead of looking like http://www%2ecitibank%2ecom:80@www.evildomain.com which is still similar it will look like http://%77%77%77%2e%63%69%74%69%62%61%6e%6b%2e%63%6f%6d:%38%30@www.evildomain.com
May that my opinion is unnecessary here but it seems that it's not clear if a username and password in http urls are valid or not. I think all people will agree that the RFC 2616 and RFC 2396 are the valid and required RFCs to interpret the HTTP URL syntax. I think some people misinterpret some parts. (Maybe I also misinterpret those RFC's because I'm also not firm with them.) The question is "is the definition of http_URL valid and contains it only a hostname" in 1) RFC 2616; 3.2.2 http URL: The "http" scheme is used to locate network resources via the HTTP protocol. This section defines the scheme-specific syntax and semantics for http URLs. http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] In my opinion: definitive 'yes'. A _valid_ http url _could_ not have a username and/or password. Motivation: 2) RFC 2396; 1.2. URI, URL, and URN In other words, the URI syntax is a superset of the syntax of all URI schemes. In other words RFC 2396 can not describe an individual scheme (like http). IMHO it only describes a template. 3) RFC 2396; 1. Introduction: This document updates and merges "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URI. It excludes those portions of RFC 1738 that defined the specific syntax of individual URL schemes; those portions will be updated as separate documents, as will the process for registration of new URI schemes. Other documents (RFCs) could define the syntax of individual URL schemes, like RFC 2616 does in citation 1). I have not verified it, but I think the restrictions and specifications made by the http_url definition does not break this generic syntax, and they valid because they are updates for this "http" (=individual) URL scheme. Some argumented that RFC 2396 has defined 'userinfo' for URI in 4) RFC 2396; 3.2.2. Server-based Naming Authority (See comment 149 for citation) That is wrong! RFC 2396 describes a superset, not a specific scheme. It defines that URL schemes could (NOT MUST) have the 'userinfo'. 5) RFC 2616; 3.2.1 General Syntax: For definitive information on URL syntax and semantics, see "Uniform Resource Identifiers (URI): Generic Syntax and Semantics," RFC 2396 I think this refers to RFC 2396, if (and only if) something in the URL description of the RFC is not clearly described or defined. This explicit fulfilled for some definitions: 6) RFC 2616; 3.2.1 General Syntax: This specification adopts the definitions of "URI-reference", "absoluteURI", "relativeURI", "port", "host","abs_path", "rel_path", and "authority" from that specification. As described in comment 151: 'host' is defined in RFC 2396 and does not include 'userinfo', so a _valid_ http url _could_ not have a username and/or password. Other interesting drafts and RFCs are *) RFC 2718 (Guidelines for new URL Schemes) *) RFC 2732 (IPv6 Literal Addresses in URL's) This is an URL definition update for RFC 2396 *) draft of HTTP AUTH URL This includes an update for RFC 2396 with 'userinfo' in http URL's: http://www.ietf.org/internet-drafts/draft-melnikov-http-auth-url-00.txt
(In reply to comment #205) > The question is "is the definition of http_URL valid and contains it only a > hostname" in > 1) RFC 2616; 3.2.2 http URL: > The "http" scheme is used to locate network resources via the HTTP > protocol. This section defines the scheme-specific syntax and > semantics for http URLs. > http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] > > In my opinion: definitive 'yes'. > A _valid_ http url _could_ not have a username and/or password. > > Motivation: > 2) RFC 2396; 1.2. URI, URL, and URN > In other words, the URI syntax is a superset > of the syntax of all URI schemes. > > In other words RFC 2396 can not describe an individual scheme (like http). > IMHO it only describes a template. This is basically the same logic that Microsoft used in eliminating the username:password from http/https requests with the recent February security patch to IE6 SP1. See the section labeled CAN-2003-1025 at http://www.microsoft.com/technet/security/bulletin/MS04-004.asp for details. That being said, instead of dropping support entirely, I personally would be in favor of comment #177. Once per session, put up a prefilled in username password dialog box when any username:password URLs (http, https, ftp, news, etc) are requested. However something needs to be done NOW.
Sorry, not a programmer, so can't comment on the patch. Also, started zoning out while reading 180+ comments so apologies if these suggestions have already been made. 1. If the location field is hidden, definitely show a dialog box. By the way, I personally will miss the warning if it's in the status bar or location box. 2. Suggestion for dialog: [! symbol] You are about to go to "[de-escaped domain in big bold letters]". Do you really want to do this? Buttons: Continue Stop Check box: Remember this decision 3. Suggestion for [de-escaped domain]: <preceding node>\.[a-z][a-z][a-z]+$ <2nd preceding node>\.<preceding node>(\.[a-z][a-z])+$ 4. Please, no flashing of any kind. Violates W3C accessibility guidelines. 5. %01 has also been listed as a hack in at least one article I read (in addition to @ and %00).
For those who don't have or use Internet Explorer 6 or Windows XP: The Windows Update patch for IE6 which is mentioned above has arrived and is causing valid URLs to return "invalid syntax error".
(In reply to comment #208) > For those who don't have or use Internet Explorer 6 or Windows XP: > The Windows Update patch for IE6 which is mentioned above has arrived and is > causing valid URLs to return "invalid syntax error". Could you give an example of a valid URL that returns "invalid syntax error". Something other than http://user@password:www.sample.com, of course; based upon the reasoning used in comment #205, that wouldn't necessarily be a valid http URL. They should be posted so that whichever scheme that is eventually adopted for Mozilla doesn't also trip up on them.
As far as I know it's pretty obvious that username and password are valid according to RFC. If not then why would Mozilla and IE support them in the first place. But I'll leave that final decision for those capable of understanding the poorly worded RFC english from the W3. Anyways, to answer your question Kelley. http://@www.microsoft.com/ http://user@www.microsoft.com/ http://user:pass@www.microsoft.com/ http://www.microsoft.com@/ http://www.microsoft.com@ http://www.microsoft.com:80a/ All of the above return invalid syntax error. @ before host will trip the error non numberic port will trip the error. http://www.micro%20soft.com/ This did not return invalid syntax it returned Cannot find server.
(In reply to comment #152) > RFC 2616 describes the HTTP-protocol, NOT HTTP-uris. RFC 2616 delegates that to > RFC 2396 or to RFC1738 which has a specific section about http-uris. > > In my opinion RFC 2616 just defines a "simple" version of http uris as it was > needed to explain the http protocol. RFC 2396 is the definitiv resource for URIs > and RFC 1738 makes clear that username:password is possible (Section 3.1): > > ... > While the syntax for the rest of the URL may vary depending on the > particular scheme selected, URL schemes that involve the direct use > of an IP-based protocol to a specified host on the Internet use a > common syntax for the scheme-specific data: > > //<user>:<password>@<host>:<port>/<url-path> > > Some or all of the parts "<user>:<password>@", ":<password>", > ":<port>", and "/<url-path>" may be excluded. > ... > > And section 3.3: > > ... > An HTTP URL takes the form: > > http://<host>:<port>/<path>?<searchpart> > > where <host> and <port> are as described in Section 3.1. > ... You 're NOT right, because RFC 1738 says: 3.3. HTTP The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol). The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs. An HTTP URL takes the form: http://<host>:<port>/<path>?<searchpart> where <host> and <port> are as described in Section 3.1. If :<port> is omitted, the port defaults to 80. No user name or password is allowed. <path> is an HTTP selector, and <searchpart> is a query string. The <path> is optional, as is the <searchpart> and its preceding "?". If neither <path> nor <searchpart> is present, the "/" may also be omitted. Within the <path> and <searchpart> components, "/", ";", "?" are reserved. The "/" character may be used within HTTP to designate a hierarchical structure. So they have made crystal clear that a username and password is NOT allowed in HTTP URL.... I think that this is the definitive resource for the definition of the HTTP URLs, so we should simply follow MS way and say to the user that the sintax on not valid....(Althought I'm not that happy in saying that MS has done the right thing this time...)
(In reply to comment #152) > RFC 2616 describes the HTTP-protocol, NOT HTTP-uris. RFC 2616 delegates that to > RFC 2396 or to RFC1738 which has a specific section about http-uris. > > In my opinion RFC 2616 just defines a "simple" version of http uris as it was > needed to explain the http protocol. RFC 2396 is the definitiv resource for URIs > and RFC 1738 makes clear that username:password is possible (Section 3.1): > > ... > While the syntax for the rest of the URL may vary depending on the > particular scheme selected, URL schemes that involve the direct use > of an IP-based protocol to a specified host on the Internet use a > common syntax for the scheme-specific data: > > //<user>:<password>@<host>:<port>/<url-path> > > Some or all of the parts "<user>:<password>@", ":<password>", > ":<port>", and "/<url-path>" may be excluded. > ... > > And section 3.3: > > ... > An HTTP URL takes the form: > > http://<host>:<port>/<path>?<searchpart> > > where <host> and <port> are as described in Section 3.1. > ... You 're NOT right, because RFC 1738 says: 3.3. HTTP The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol). The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs. An HTTP URL takes the form: http://<host>:<port>/<path>?<searchpart> where <host> and <port> are as described in Section 3.1. If :<port> is omitted, the port defaults to 80. No user name or password is allowed. <path> is an HTTP selector, and <searchpart> is a query string. The <path> is optional, as is the <searchpart> and its preceding "?". If neither <path> nor <searchpart> is present, the "/" may also be omitted. Within the <path> and <searchpart> components, "/", ";", "?" are reserved. The "/" character may be used within HTTP to designate a hierarchical structure. So they have made crystal clear that a username and password is NOT allowed in HTTP URL.... I think that this is the definitive resource for the definition of the HTTP URLs, so we should simply follow MS way and say to the user that the sintax on not valid....(Althought I'm not that happy in saying that MS has done the right thing this time...)
It has already been mentioned that the syntax "userinfo@host:port" is allowed in rfc 2396 (which updates rfc 1738) - see comment #149. So it's not a syntax error, it's merely not a recommended place to put a username/password. And it is still occasionally (?) used, which is a reason not to abolish support completely. Although I imagine nowdays illigitimate use occurs more frequently than legitimate use? Personally, I'd feel OK with an authentication dialogue and scrapping the userinfo once submitted.
(In reply to comment #210) > http://@www.microsoft.com/ This is an invalid http URI. > http://user@www.microsoft.com/ Ditto. > http://user:pass@www.microsoft.com/ Ditto. > http://www.microsoft.com@/ Ditto. > http://www.microsoft.com@ Ditto. > http://www.microsoft.com:80a/ Ditto. > > All of the above return invalid syntax error. > @ before host will trip the error > non numberic port will trip the error. As well they should. As noted previously RFC 2616 overrules the generic URI syntax specified in RFC2396 to be: http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] It explicitly retains the RFC2396 definitions of "host" and "port". Essentially "host" can only be alphanumeric or "-" or "." while "port" can only be digits. Furthermore, where the userinfo syntax is defined from RFC 2396 it even notes this exception: "Some URL schemes use the format "user:password" in the userinfo field. This practice is NOT RECOMMENDED, because the passing of authentication information in clear text (such as URI) has proven to be a security risk in almost every case where it has been used." Please note the word "SOME". To be clear, neither the http nor https schemes use that format. > http://www.micro%20soft.com/ > This did not return invalid syntax it returned Cannot find server. A quibble/bug with their browser. The syntax *is* wrong, but the error message is gets the point across. To reiterate the main, Microsoft is correct -- user:pass is not allowed in http and https URIs. Finally I don't why we are even argueing about this fact under this bug. The place to question this is on the HTTP-workinggroup mailing list, where unsurprisingly it came up this week. The subject was basically closed by the author of RFC 2616 and chairman of the HTTP-workgroup. http://lists.w3.org/Archives/Public/ietf-http-wg/2004JanMar/0006.html 'That form of URI has been officially deprecated by the IETF for over 9 years. The HTTP standard doesn't even allow it for "http" URIs.' --Roy T. Fielding Therefore, the proper thing to do is to delete support for cleartext URL authentication from http/https. If Mozilla doesn't wish to do that then at the VERY least implement comment 177 and put up the password dialog box.
As somebody who's Firebird home page uses a user@ URL, I have to ask that we do not follow MS's example of dropping support entirely. (Even if it is technically correct per the RFCs) I was even against any kind of pop-up, but after seeing a spoof/scam attempt in real life I feel a little differently. For an example of why adding something to/near the address bar or adding something to the status bar doesn't work, see this page: http://www.dce.k12.wi.us/tech/urlspoofing.html Unless we drop URL authentication entirely, nothing we do is going to keep a user from clicking on that link (or pasting it) if they don't know about spoofing. Look at the URL listed and look at the screenshot. In the screenshot, only the little window (with no address bar or status bar) is using spoofing. The URL in the bigger window is obscured, but that doesn't matter... that URL is completely legit. Even choosing to right-click and select View Page Info only gives something like this: http://www.dce.k12.wi.us/tech/images/ccsafety/page-info.jpg (The only indication of where the page is reads URL: http://www.citibank.com:23 in this case. So two things are clear from this example: 1) A pop-up of some kind is neccessary. Even fairly educated users could get tricked with this kind of spoof. 2) The "View Page Info" dialog should probably either strip user/password from the URL or should add a "Host:" entry. I'm still in favor of a standard authentication dialog (or perhaps slightly modified) which pops up for any URL containing user or user:password info. I would like to see it keep the "Use Password Manager to remember these values" checkbox... and once saved not display the dialog any more for that URL. This last part, while not actually neccessary, would significantly lower the irritation factor for those of us who actually do use URLs like this. By the way, getting rid of plaintext auth in the URL is actually not a 100% fox for this particular example. The scamster could use an initial link like &lt;a href="someurl"&gt;http://www.citibank.com/emailconf.html&lt;/a&gt; Once they visit the link, the only indication something is wrong would be to View Page Info on the 2nd window. Since they didn't use spoofing, no fix we do for this bug would prevent it. So, my vote is (again) for <a href="http://bugzilla.mozilla.org/show_bug.cgi?id=122445#c177">Comment #177</a> with the additional Password Manager changes from <a href="http://bugzilla.mozilla.org/show_bug.cgi?id=122445#c178">Comment #178</a> NOTE: The link used by the scamster initially was http://www.citigroup.net:6F85YwvH8@daqq1fd9c.Da.rU/?uCzpNb with nearly everything after ".net:" URLencoded (except the @.) It looks like the server operators have removed that page now.
Just so everyone knows, whatever applies to HTTP applies to HTTPS. From RFC 2818: 2.4. URI Format HTTP/TLS is differentiated from HTTP URIs by using the 'https' protocol identifier in place of the 'http' protocol identifier. An example URI specifying HTTP/TLS is: https://www.example.com/~smith/home.html
Please disregard my RFC comment in comment #210 I no longer believe what I said there and have read over several sections from several RFCs and wish to weigh in. RFC 1738 - Uniform Resource Locators RFC 1808 - Relative Uniform Resource Locators RFC 2396 - Uniform Resource Identifiers -this RFC updates and merges the two previous RFCs -As of the finalization of RFC 2396 section 3.3 from RFC 1738 still applies because of the below paragraph in Section 1 of RFC 2396 This document updates and merges "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URI. It excludes those portions of RFC 1738 that defined the specific syntax of individual URL schemes; those portions will be updated as separate documents, as will the process for registration of new URI schemes. This document does not discuss the issues and recommendation for dealing with characters outside of the US-ASCII character set [ASCII]; those recommendations are discussed in a separate document. -Section 3.3 from RFC 1738 which makes clear no username and password are allowed for HTTP URI. -RFC 2396 which is the current definitive document on URI states that it is a superset and not all URI include all parts of the superset From RFC 2396 This paper describes a "superset" of operations that can be applied to URI. It consists of both a grammar and a description of basic functionality for URI. To understand what is a valid URI, both the grammar and the associated description have to be studied. Some of the functionality described is not applicable to all URI schemes, and some operations are only possible when certain media types are retrieved using the URI, regardless of the scheme used. -RFC 2396 promises that section 3.3 of RFC 1738 will be updated in the future by another RFC. RFC 2616 - Hypertext Transfer Protocol -This RFC replaces section 3.3 of RFC 1738 **** SUMMARY ****: RFC 1738 and 1808 have been completely replaced from a HTTP standpoint by RFC 2396 and RFC 2616 I recommend any further posts take this into consideration and do not quote from the old RFCs anymore. Also previous to RFC 2616 it is clear that no username and password were allowed (section 3.3 of RFC 1738). Any argument for username and password in HTTP URI must use RFC 2396 and RFC 2616 to show that post RFC 2616 username and password were added to the HTTP URI scheme.
From: http://lists.w3.org/Archives/Public/ietf-http-wg/2004JanMar/0006.html >That form of URI has been officially deprecated by the IETF >for over 9 years. Can someone find a reference to validate that statement?
To determine a valid HTTP URI we need two RFCs RFC 2396 and RFC 2616 RFC 2616 takes the following definitions from RFC 2396: URI-reference absoluteURI relativeURI port host abs_path rel_path authority Section 3.2 of RFC 2616 states: The "http" scheme is used to locate network resources via the HTTP protocol. This section defines the scheme-specific syntax and semantics for http URLs http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] These definitions are from RFC 2396 host = hostname | IPv4address hostname = *( domainlabel "." ) toplabel [ "." ] port = *digit Which means host and port can be empty. RFC 2616 states that abs_path is a Request-URI as specified in Sectin 5.1.2 Section 5.1.2 allows authority for the CONNECT method. authority has a long definition but basically it means you can use username:password@host By using the http scheme the following would be a VALID Request URI: CONNECT http://username:password@www.mozilla.org/index.html HTTP/1.1 By using the http scheme the following would be a INVALID Request URI: GET http://username:password@www.mozilla.org/index.html HTTP/1.1 Unfortunately the CONNECT method is not defined in RFC 2616 and is just referred to a work in progress: [44] Luotonen, A., "Tunneling TCP based protocols through Web proxy servers," Work in Progress. [jg647] Problem: The Mozilla Location bar as it works now does not just accept an http get request it accepts any URI and translates it to a client request internally based on assumptions of what a user expects. Users do not specify their request method and mozilla currently accepts valid URI syntax. Possible Solutions: Mozilla can take a partial request such as: http://www.mozilla.org and convert it to at least these four proper requests: GET http://www.mozilla.org/ HTTP/1.1 or GET / HTTP/1.1 Host: www.mozilla.org or HEAD http://www.mozilla.org/ HTTP/1.1 or HEAD / HTTP/1.1 Host: www.mozilla.org Similarly mozilla can take a partial CONNECT request: http://username:password@www.mozilla.org and convert it to a proper GET request using the authorization header: GET / HTTP/1.1 Host: www.mozilla.org Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ= Read more on the authorization header at RFC 2617 CONCLUSION: The decision is up to us.
Re-read comment 211 (especially the part that quotes the rfc saying "No user name or password is allowed"). Rfc 1738 is dated December 1994 so that's where the nine years comes from. IE's change to stop supporting this format has broken PayPal links. Given MS's marketshare and the clout of thousands of merchants accepting PayPal who want their money we should probably hang on a while longer and see how this settles out.
Daniel RFC 1738 no longer applies.
I know 1738 has been superseded, but in comment 218 you asked for documentation for the "deprecated...for over 9 years" comment: rfc 1738 came out nine years ago. The newer RFCs aren't as explicit on the issue, but neither can they be read as reversing course from 1738. The browser community has ignored this aspect of the RFCs for over nine years as stated in the message you linked to.
Ok, I understand what you are saying. Thanks for the clarification. :)
Setting this bug to blocking 1.7a+. Adam, can you help chase down reviews for this patch.
Flags: blocking1.7a? → blocking1.7a+
Blocks: 157354
Blocks: 228612
Adam: I hope you don't mind, I've changed the ownerships. I'm going to ask again, that people stop commenting on issues that should be discussed in other bugs. I'm trying to summarize all the spoofing issues in one document and get the other issues broken out. a couple bugs worth looking at: Bug 233865 - very long domain names that confuse users Bug 232567 - remove support for userpass (aka Microsoft solution) -or- warn on bogus userpass info (this bug is drifting as well!) Bug 233340 - only password manager should store URL passwords
Assignee: security-bugs → adamlock
QA Contact: adamlock → benc
Summary: Spoof prevention: Warn if username/password in link (url) looks like a hostname → URL: Spoof : Dialog warning if userpass looks like a hostname
Whiteboard: spoof → spoof [comment only about the patch implementation]
Target Milestone: --- → mozilla1.7alpha
benc, the discussion in this bug is broader than a dialog, in fact many people (incl. developers) voted against a dialog. Removing "dialog" from summary.
Summary: URL: Spoof : Dialog warning if userpass looks like a hostname → URL: Spoof - userpass looks like a hostname
Flags: blocking1.7b+
Flags: blocking1.7a-
Flags: blocking1.7a+
*** Bug 233467 has been marked as a duplicate of this bug. ***
Flags: blocking1.4.2? → blocking1.4.2-
I have created a patch for the file: xpfe/browser/resources/content/nsBrowserStatusHandler.js the onLocationChange function This is my first Mozilla patch, so please be kind if I've not submitted it correctly. I wasn't sure how to do a diff so I manually put + signs for the added lines. For the username and password to be removed you need to set the following about:config variable: browser.urlbar.showUsername false I suggest that variable be set to false by default.
Attachment #143313 - Flags: review?
I talked this over with Darin and we think the better sollution for this is in bug 232567. The approach taken there is to simply not allow going to a URL that contains username and password w/o prompting the user about it. That way we let http:// URL's with username and password continue working, and you can change them in the URL bar n' all, but spoofers won't be able to direct you to their site w/o the user knowing. I haven't followed this bug in detail, but I would suggest that we'd dupe this against bug 232567.
Bug 232567 looks exactly like my comment 177. I personally think it's a great solution, but there wasn't consensus here that it was the best way to go.
Johnny, please do not suggest duping this bug if you haven't read it all. Users have contributed a lot of time to suggestions and a lot of research on RFCs which was not done on the bug you mentioned. Also, my patch solves the problem without displaying a dialog box. Many people here have stated why a dialog simple won't work. Where is the flaw in removing the username and password? There can be no confusion from an end user perspective about what site they are visiting because now the hostname will be shown where they expect it to be. And this method does not break any current applications. Your suggestion and the Microsoft implementation break the Internet as we know it.
(In reply to comment #231) > Where is the flaw in removing the username and password? There can be no > confusion from an end user perspective about what site they are visiting because > now the hostname will be shown where they expect it to be. And this method does > not break any current applications. Your suggestion and the Microsoft > implementation break the Internet as we know it. (1) many users do not look at the URL bar (2) yes, many users just click through alerts, but maybe it'll slow them down just enough... with an alert we can say: "are you sure you want to visit www.evil.com ?" (3) striping the username out of the URL bar makes it difficult for users to edit the username in the URL bar. "now you see it, now you don't." suppose you type the username into the URL, load it, and then want to add something extra to the end of the URL. you'd have to go back and re-add the username portion. that's a pain. (4) if we wait for the user to notice the problem in the URL bar then the evil site would have already loaded. by this time it could have done things with JS to maybe hide the URL bar or cause other mischief. with the alert based solution, the user doesn't see the evil site until they dismiss the alert. i'd hope that from the point of view of a user, the unusual alert dialog would make them somewhat suspicious. and maybe that's enough to keep them from doing something silly. that said, maybe it makes sense to combine both solutions. (that is, if we accept that my point #3 is not significant enough.)
>(1) many users do not look at the URL bar Many users do not look at dialog boxes. For you to even mention that users do not look at the URL bar is silly. The whole point of spoofing is to trick the user by changing what is in the URL bar. if they don't look at the url bar then why bother spoofing with a username and password? You are talking about a COMPLETELY different issue. >(2) yes, many users just click through alerts, but maybe it'll slow them down >just enough... with an alert we can say: "are you sure you want to visit >www.evil.com ?" "are you sure you want to visit www.paypal-security-update.com ?" >but maybe I don't want to break current implementation for "but maybe". With a dialog if they click through without reading, then get confused about what just happened they will look at the url bar and feel reassured because they see: http://www.paypal.com______________________________:345656@www.evil.com/gotyourmoney.html Your suggestion could make the issue worse. >(3) striping the username out of the URL bar makes it difficult for users to >edit the username in the URL bar. "now you see it, now you don't." suppose >you >type the username into the URL, load it, and then want to add something extra >to >the end of the URL. you'd have to go back and re-add the username portion. >that's a pain. goto about:config set browser.urlbar.showUsername true problem solved! users who edit username portions of the url tend to understand how the syntax works and what the @ symbol means. so showing the username and password for them is no issue. >(4) if we wait for the user to notice the problem in the URL bar then the evil >site would have already loaded. by this time it could have done things with JS >to maybe hide the URL bar or cause other mischief. with the alert based >solution, the user doesn't see the evil site until they dismiss the alert. You will have to turn off JS to be safe from what you are describing. Because that can be done to trick a user when spoofing hasn't occured.
> (1) many users do not look at the URL bar See answer to (4) > (2) yes, many users just click through alerts, but maybe it'll slow them down > just enough... with an alert we can say: "are you sure you want to visit > www.evil.com ?" Dialogs are generally considered bad, and I think it's a fairly accepted hypothesis that users don't read them. > (3) striping the username out of the URL bar makes it difficult for users to > edit the username in the URL bar. "now you see it, now you don't." suppose > you type the username into the URL, load it, and then want to add something > extra to the end of the URL. you'd have to go back and re-add the username > portion. that's a pain. Would you really? If you just modify/add something to the path-section of the url then wouldn't mozilla automatically log you in again? Using the username/password that you're already logged in using. If I log in to a site (using normal login-procedure, not using username/password in the url) and then click on a link on that site mozilla won't ask me again for username and password. > (4) if we wait for the user to notice the problem in the URL bar then the > evil site would have already loaded. by this time it could have done things > with JS to maybe hide the URL bar or cause other mischief. with the alert > based solution, the user doesn't see the evil site until they dismiss the > alert. i'd hope that from the point of view of a user, the unusual alert > dialog would make them somewhat suspicious. and maybe that's enough to keep > them from doing something silly. We should not only modify the code that displays the url in the urlbar. We should also modify what we are displaying in the statusbar when the user hovers the link. So if I hover the link "http://foo:bar@evil.com/" we should display "http://evil.com/ (logging in as username 'foo', password 'bar') in the statusbar. If users don't look at either statusbar nor url-bar there is nothing we could do, since the site might just as well link directly to evil.com without any obfuscation.
What's displayed in the URL bar is what matters, if anything, since spoofing the status bar is trivial, and no matter what we do they can always override what's shown on the status bar, as long as our users don't disable setting the status bar text (which I bet 99% of our users won't do).
(In reply to comment #233) > The whole point of spoofing is to trick the user by changing what is in the URL bar. exactly. and how do those URLs get in the URL bar? perhaps from an email message. if the user clicks on the URL, then it gets put in the URL bar. what motivates the user to look at the URL bar? > if they don't look at the url bar then why bother spoofing with a username and > password? because users click on links. attackers cannot affect the text in the URL bar unless the user clicks on a link. this attack is about (1) tricking users into clicking on a link, and then (2) tricking users into thinking that they should use the resulting site. changing the URL bar only helps with (2), but as i've said... once the site loads, there are more things the attacker can do to try to keep you on the site. if we can help users avoid going to evil sites, then we are better off. > >(2) yes, many users just click through alerts, but maybe it'll slow them down > >just enough... with an alert we can say: "are you sure you want to visit > >www.evil.com ?" > "are you sure you want to visit www.paypal-security-update.com ?" > >but maybe > I don't want to break current implementation for "but maybe". With a dialog if > they click through without reading, then get confused about what just happened > they will look at the url bar and feel reassured because they see: > http://www.paypal.com______________________________:345656@www.evil.com/gotyourmoney.html this is why i suggested combining both solutions. > Your suggestion could make the issue worse. maybe. > goto about:config set > browser.urlbar.showUsername true > problem solved! > users who edit username portions of the url tend to understand how the syntax > works and what the @ symbol means. so showing the username and password for them > is no issue. this sounds reasonable to me. > >(4) if we wait for the user to notice the problem in the URL bar then the evil > >site would have already loaded. by this time it could have done things with JS > >to maybe hide the URL bar or cause other mischief. with the alert based > >solution, the user doesn't see the evil site until they dismiss the alert. > You will have to turn off JS to be safe from what you are describing. Because > that can be done to trick a user when spoofing hasn't occured. please explain. only JS from a page that got loaded can run. i'm proposing preventing script from evil pages from ever getting a chance to run.
> Would you really? If you just modify/add something to the path-section of the > url then wouldn't mozilla automatically log you in again? Using the > username/password that you're already logged in using. > If I log in to a site (using normal login-procedure, not using username/password > in the url) and then click on a link on that site mozilla won't ask me again for > username and password. good point sicking. this makes my point 3 pretty irrelevant. however, it might be an issue for FTP. hmm... switching between anonymous and user login modes.
Re: comment 237 my patch only removes user and pass from http, https I agree with you that for ftp it's important to keep there, plus there is no ftp spoofing issue.
I don't see why the same problem doesn't apply to ftp? Nor why the same solution couldn't be used.
>please explain. only JS from a page that got loaded can run. i'm proposing >preventing script from evil pages from ever getting a chance to run. you do have a point if people click no on a dialog you suggest they will not be subject to any trickery from JS. My main point is that the only JS trick that is affective against my method is popping a new window and removing the url bar. we have a pop up blocker to protect users from this. and if user enters sensitive information on a site which doesnt show the url bar, we would need more than 2 years to figure out how to "properly" save those people from scames. I believe we are speaking of 2 different groups of people we are trying to help. Let me elaborate. If you do a statistical bell curve. there will be 2 or 3% of people who dont read the url bar, unsaveable. and I would argue that those that do not read the url bar, are beyond saving and if you had 10 cents for ever person who reads dialogs but not the url bar you wouldn't have a dollar. there will be 2 or 3% of people (like us) who can mentally parse the url syntax. we don't need help. then there will be 95% of the people who read the url bar but have no knowledge of url syntax and get tricked by spoofing because most of the sites they visit never use a user/pass so they aren't aware that information can be shown in the url bar. these are the people who will benefit from the fix to this bug. I think you are not taking human nature into account with your popup idea. because people dont read them and if they do, people usually want to see what's behind the hidden door and will click yes anyways. but i do understand that this is not an issue if there is a combined approach you spoke of. >because users click on links. attackers cannot affect the text in the URL bar >unless the user clicks on a link. >this attack is about (1) tricking users into clicking on a link, and then (2) >tricking users into thinking that they should use the resulting site. >changing the URL bar only helps with (2), but as i've said... once the site >loads, there are more things the attacker can do to try to keep you on the >site. > if we can help users avoid going to evil sites, then we are better off. The easy part of the scam is getting people to click on the link. because most links dont show the location they show other text "PayPal" as opposed to http://www.paypal.com The harder part is to get people to believe they are at the legitamite site after they get there (I understand you say dont let them get there, but I think they will get there, especially if they are worried about having their "account closed"). Scammers are smart, they even made these fake sites link to the real sites. For the vast majority of people showing the location without the username/password will solve the problem. The important things in my opinion are this: 1) dialog breaks auto-login systems (may solve this problem, creates another) 2) dialog with removal of user/pass from url, breaks auto-login systems (will solve problem, still creates another) 3) remove user/pass. it's simpliest solution and will solve the problem, no new problem created. this is a numbers game. how many people will get upset from a dialog? many. how many people will get upset if we remove user/pass? how could they because they can turn it back on from their end. end result of my suggestion is problem solved, no websites broken. end result of a dialog/combo suggestion is problem solved, many websites broken, many people annoyed.
Re: comment 239 Jonas, as far as I know users cannot enter sensitive information, credit cards and bank info on an ftp site. ftp sites are for download and upload of files and do not allow form processing so user cannot be tricked into entering anything bad on an ftp site.
Put an html-file on an ftp-servet. Let the html-page have a form that posts the data to an http-server. Direct the user to the html-file while 'spoofing' the url. Done.
Jonas, can you create a test case for what you are speaking of? From my knowledge when a user clicks on an html file on an ftp site they will be prompted to download the file. It will not actually be rendered.
> Jonas, can you create a test case for what you are speaking of? > From my knowledge when a user clicks on an html file on an ftp site they will be > prompted to download the file. It will not actually be rendered. I don't have access to a public ftp-server currently so I can't create a testcase. But no, we don't do anything different when 'surfing' on ftp vs. http.
jonas is right. it's no different than loading a HTML file off the local filesystem. that HTML file could very well include a form post to a HTTP server. so, you serve the HTML file over FTP... the end result is the same. the attackers page is loaded into the browser, and from there on it can use a combination of HTTP and FTP URLs to maintain the elusion. so, i agree with jonas that we'd want to strip out the username and password for all URL types.
Darin are you claiming you can render HTML and an HTML form on an ftp server? if the user has to load HTML from his hard disk, it's not likely he's going to be fooled by spoofing. why would anyone enter sensitive information under such circumstances? if you can indeed show me that you can render an HTML form on an ftp server (without saving and opening locally), then you have a valid point. Otherwise, you are out in left field and you don't even understand this issue. there are other issues that call for removing username and pass from ftp, like someone "looking over your shoulder", however those are other bugs and other issues. spoofing definitely has nothing to do with ftp.
You don't "render HTML on an ftp server" any more than you render HTML on an http server. You just send the file to the browser, and the browser will render it, after guessing the content type. First example I came across: ftp://www.mirror.ac.uk/pub/Apache/HEADER.html
moreover, mozilla supports pluggable protocol handlers. that means you could write a mozilla extension that defines the "x-foobar" URI type. this URI type could likewise support download a HTML file (in fact it could work just like HTTP). this URI type could also support the concept of login, with the standard URI syntax for such things. while it is true that the only other protocol that would be common enough to be useful by an attacker is FTP, from a code point-of-view it makes no sense to limit this URL bar patch to HTTP.
I stand corrected and I learned something new. Thanks guys. Darin, I'll submit a modified patch. Do you suggest I only check for http, https and ftp or should I not discriminate based on protocol and remove it for all URI?
Peter: you should not discriminate based on protocol.
Peter Kroll, parse: I see you used string parsing in your patch. I think you should use nsIURI/nsIURL (using nsIIOService) to parse the URL. hookup: While looking up to onLocationChange() is a great idea, I'm not sure that's the right place (statusbar etc.). Compare <http://bugzilla.mozilla.org/attachment.cgi?id=137693&action=view>. diffs: You can create diffs using |cvs diff|, assuming you have CVS dirs in the tree and cvs installed. Otherwise PatchMaker may help. Your file was still easily readable for humans.
Comment on attachment 143313 [details] [diff] [review] remove username and password based on boolean preference patch rejected: Use the nsIURI interface (already available as locationURI) to manipulate in a standard way -- we've had security bugs due to different bits of code trying to implement local URI parsing. getBoolPref() will throw an exception if the pref is not defined -- protect with a try/catch since there's still more to do whether this fails or not. I'm not sure this interacts with userTypedValue correctly -- if the user has typed in this URL it's not a spoof and we shouldn't change it. I don't think we need a pref to show the real URL. Couldn't a savvy user get that from the page info screen, and that'd be quicker than changing the pref and then changing it back to a safe value. If you do add the pref, however, your patch needs to including adding the default value to all.js to avoid causing the exception mentioned earlier. stylistically we prefer to use boolean values directly rather than explicitly comparing to true/false. "if (!pref.getBoolPref(...))" is fine. Whatever we decide to do needs to be done for Firefox as well. Is http://lxr.mozilla.org/mozilla/source/browser/base/content/browser.js the equivalent spot?
Attachment #143313 - Flags: review? → superreview-
Flags: blocking1.7?
i changed the preference name to browser.urlbar.showUserPass with a default value of false. in modules/libpref/src/init/all.js
Attached patch using nsIURI instead of local parsing (obsolete) — — Splinter Review
patch for xpfe/browser/resources/content/nsBrowserStatusHandler.js to be used with patch 144499 I have removed the local parsing and used the nsIURI interface. I have added the appropriate try/catch blocks. I believe I am now correctly interacting with userTypedValue.
Attachment #144500 - Flags: review?
Flags: blocking1.7? → blocking1.7+
*** Bug 140064 has been marked as a duplicate of this bug. ***
Here's a spoofed URL I received by mail only yesterday (HTML codes simplified): a href="http://web.da-us.citibank.com%6Csignin%6Ccitifi%6Cscripts%6C@%69%73%61%70%69%31%30%30%2E%69%6E%66%6F/%69%6E%64%65%78%2E%68%74%6D" IMG SRC="cid:5BA9EF1D.EF859523.2146CE54.5258F8AC_csseditor" border="0" ALT="" /a
dependencies the wrong way 'round.
No longer blocks: 157354, 228612
Depends on: 157354, 228612
Attachment #143313 - Attachment is obsolete: true
Comment on attachment 144500 [details] [diff] [review] using nsIURI instead of local parsing see patch in bug 157354 instead
Attachment #144500 - Flags: review? → review-
Comment on attachment 144500 [details] [diff] [review] using nsIURI instead of local parsing see patch in bug 157354 instead
Attachment #144500 - Attachment is obsolete: true
*** Bug 228521 has been marked as a duplicate of this bug. ***
Depends on: 232567, 240754
Flags: blocking1.7a-
Flags: blocking1.6-
Flags: blocking1.4.2-
Flags: blocking1.7+ → blocking1.7-
Just grabbed Firefox 0.9RC1. And I must say... I REALLY hate the way this was handled in FireFox. Not one but TWO dialog box pop-ups every time you have a URL with an embeded user/pass. I just hope Mozilla didn't do the same thing.
Mozilla does, but it was just fixed. bug 246106
*** Bug 249034 has been marked as a duplicate of this bug. ***
i read about this bug through the 1.8a2 release readme i think their is a way that mozilla can avoid it their has to be ":" in the text before the @ then if their wasn't then matbe it would report it as invalid url
Certainly a lot of comments have been passed around. But as a user I prefer to rest assured that the URL I am visiting is from the site I am expecting. A simple way to do this is as proposed with a new style of displaying host site (You would know which server you are contacting) and any extra security information available. There has been debate over screen real estate but I have noticed a lot of screen real estate on the status bar. I am sure this can be incorporated there. As a user I am frightened that some well crafted email can dupe people into thinking they are visiting a trusted site.
KS: See bug 245406. Gerv
Aviary is temporarily regressing a fix/workaround which made part of this problem less of a problem (bug 252811) by landing the fix for bug 22183, so we will need a solution to this problem for the 1.0 release. Setting flag to blocking 1.0 to make sure we don't drop this one.
Flags: blocking1.7b+ → blocking-aviary1.0+
I think this is the bug responsible for the "You are about to log on to the site $x with a username of $y" warning in Firefox 0.10. Minor issue with it: if you click No to this dialog, the favicon is loaded and put in the current tab anyway. I guess there's not really any security issue with that, but it's pretty bad form. Also, shouldn't there be a checkbox to disable this warning in the future (defaulting to "continue to show" of course), for people who actually know how to read a URL? I should think some intranets make use of user@host links for legitimate purposes.
jmd: Please file new bugs in, well, new bugs. Thanks!
> jmd: Please file new bugs in, well, new bugs. Thanks! Well, the status whiteboard DOES say to comment about the patch! Anyway, filed: bug 260988 - favicon loading issue bug 260989 - add a checkbox to disable warning pop-up
Flags: blocking1.7-
This does not block... dveditz fixed this in docshell independently of any aviary UI.
Flags: blocking-aviary1.0+
A couple of newer bugs that describe similar vulnerabilities: Bug 275417 - Download dialog source spoofing Bug 258601 - downloading a long file name will not display the full file name As for this bug, it seems to be fixed in both Seamonkey and Firefox. Is there any reason to keep it open? Prog.
No longer blocks: majorbugs
This bug should be closed? Seems nicely fixed to me.
So, is this bug fixed, or isn't it? I didn't dare clicking the link in comment #2 to see what actually happened.
at least in firefox 3, url in comment #2 it shows a warning that is trying to open a connection to hardware.no when you might think that its going to www.microsoft.com so yes, i think it could be called as fixed
Since I don't know where it was "fixed", I'm tentatively marking this bug WORKSFORME. Notes for anyone visiting this bug: - If it doesn't work for you on a "trunk" version (at the moment Firefox 3 or SeaMonkey 2), please REOPEN and paste your user-agent string in your comment, that string can be found on the about: page and looks more or less like this: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9pre) Gecko/2008041201 SeaMonkey/2.0a1pre - If it doesn't work for you on Firefox 2 or SeaMonkey 1.1.x, _don't_ reopen but paste your user-agent as above and add [needs fixing 1.8] in the "Whiteboard" field at top (FIXED means "fixed on trunk"). - If it doesn't work for you on Firefox 1.5.x or earlier, on SeaMonkey 1.0.x or earlier, or in the Mozilla Suite, the only solution is to upgrade to a newer model, because these aren't supported anymore.
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: helpwanted
Resolution: --- → WORKSFORME
Whiteboard: spoof [comment only about the patch implementation]
See comment 260 from Daniel Veditz: > (From update of attachment 144500 [details] [diff] [review]) > see patch in bug 157354 instead So, this was fixed, and the patch attached here originally, the patch was just checked in in another bug and Dan forgot to mark this one FIXED.
Resolution: WORKSFORME → FIXED
(or a different patch to fix this was used)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: